|
|
TCP |
8100 · HTTP
|
http
|
Sonde port 8100/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8100
Chemin / cible
/
Preuve honeypot — Sonde port 8100/TCP
Connexion détectée sur le port 8100 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8100_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8100
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8100 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "6eae026ce138d6d2c762facfcf5ef15124599371",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.105907200340986,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 8100,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "275412be9af05e22cc272bfea8a53beddef2fbd4",
"event_fingerprint": "7a28466e5f8dfbb9565954466fd6e0ef2b9ef823",
"classification_reason": "Type \u00ab port_8100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "ae1c79ebfae408828390d5649b314457",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8100,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8100\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8100\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8100\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8100\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8100\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_8100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "505d6d2092744ea32563973f6926d8e3e055251e",
"site_display": {
"classification": "port_8100_tcp",
"classification_reason": "Type \u00ab port_8100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence_pct": 55,
"confidence_breakdown": {
"classification": 0.55,
"kb_score": 0,
"rule_count": 0,
"payload_proof": false,
"pattern_proof": false,
"named_classification_skipped": true
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "http",
"dst_port": 8100,
"protocol_emulated": null,
"tags_summary": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"sensor_role": "threat_intelligence"
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
6666 · IRC ALT
|
irc-alt
|
Sonde IRC
|
Moyenne
|
Faible · 24
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
6666
Chemin / cible
—
Pourquoi cette classification : Type « irc-alt » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 24
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:6666
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:6666 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a",
"emulator_response_len": 50,
"bytes_in": 146,
"payload_entropy": 5.0778259299977675,
"port_category": "registered",
"org": "Google LLC",
"service": "irc-alt",
"app_proto": "irc-alt",
"asn": 396982,
"country": "BE",
"dst_port": 6666,
"risk_waf": 8,
"risk_classification": 16,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 32,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 0.5,
"risk_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 40,
"protocol": 32,
"novelty": 15
},
"risk_score": 24,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "68b153cb729b4046aaca25ef9890153b0ce340b0",
"event_fingerprint": "cc099e4209131811d1d4777bc753e7344e7f3434",
"classification_reason": "Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 40,
"protocol": 32,
"novelty": 15,
"risk_score": 24
},
"named_classification_skipped": false,
"service_name": "irc-alt",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "49b9055940bf02fd9e7b8c5b6f32965a",
"path_pattern_hash": "6b182e382c1fe9f4c9dda6cd0b06efdd"
},
"target_context": {
"dst_port": 6666,
"service": "irc-alt",
"service_name": "irc-alt",
"risk_score": 24
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6666\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6666\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6666\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6666\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6666\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2bc7b93e81c5fc9e603f5fa74a0d7963eb663af8",
"site_display": {
"classification": "irc-alt",
"classification_reason": "Type \u00ab irc-alt \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence_pct": 0,
"confidence_breakdown": {
"classification": 0,
"kb_score": 0,
"rule_count": 0,
"payload_proof": false,
"pattern_proof": false
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"risk_score": 24,
"risk_label": "Faible",
"service_name": "irc-alt",
"dst_port": 6666,
"protocol_emulated": true,
"tags_summary": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"sensor_role": "threat_intelligence"
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "irc_alt",
"service_banner": "honeypot-irc-alt",
"service_os": "linux",
"dst_port": "6666"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8014 · HTTP
|
http
|
Sonde port 8014/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8014
Chemin / cible
/
Preuve honeypot — Sonde port 8014/TCP
Connexion détectée sur le port 8014 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8014_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8014
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8014 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "fedcfc435e5ba83e450211a6e3fe5ae95ce1e3be",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.124776292821557,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 8014,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 4,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "7dad229c4b5051bd7237e1375a5c5dd76e1f9d2f",
"event_fingerprint": "2984ad926d40355f1cdca8924e79dbb0e8a0df8d",
"classification_reason": "Type \u00ab port_8014_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "918526be6d0c2f574cdd2126618d76f6",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8014,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8014\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8014\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8014\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8014\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8014\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_8014_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c117a2789bd0691618b964edcb1d0a8b9a72edc9",
"site_display": {
"classification": "port_8014_tcp",
"confidence_pct": 55,
"confidence_breakdown": {
"classification": 0.55,
"kb_score": 0,
"rule_count": 0,
"payload_proof": false,
"pattern_proof": false,
"named_classification_skipped": true
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "http",
"dst_port": 8014,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"sensor_role": "threat_intelligence"
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8014"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
556 · HTTP
|
http
|
Sonde port 556/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
556
Chemin / cible
/
Preuve honeypot — Sonde port 556/TCP
Connexion détectée sur le port 556 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_556_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:556
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connectio
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:556 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "69b88462512a24d2f18a65c34d60b5215b76d905",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 145,
"payload_entropy": 5.078239025584786,
"port_category": "well_known",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 556,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "a2eb228a732d29b25b28511e61f79c33747fb16f",
"event_fingerprint": "02acafe03ba81c0b9710eea48b9a39a36dde1241",
"classification_reason": "Type \u00ab port_556_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "6fdf0155e5442ef3b90f480b3a7f4bff",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 556,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:556\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnectio",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:556\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:556\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnectio",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:556\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:556\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnectio",
"classification_reason": "Type \u00ab port_556_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4b5d40696813753d38164ea6ce0d6e6b26ecff3b",
"site_display": {
"classification": "port_556_tcp",
"confidence_pct": 55,
"confidence_breakdown": {
"classification": 0.55,
"kb_score": 0,
"rule_count": 0,
"payload_proof": false,
"pattern_proof": false,
"named_classification_skipped": true
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "http",
"dst_port": 556,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"sensor_role": "threat_intelligence"
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "556"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9310 · HTTP
|
http
|
Sonde port 9310/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9310
Chemin / cible
/
Preuve honeypot — Sonde port 9310/TCP
Connexion détectée sur le port 9310 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_9310_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9310
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9310 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "d021ec0513ad14713b1a7bac1353de7a5b75a495",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.100052727928154,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 9310,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "24ccf97aebfd517b9424c664e637b1465c1fcd9e",
"event_fingerprint": "a9fb8745c144f774f40c4fd402c63b4d3281a593",
"classification_reason": "Type \u00ab port_9310_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "8bd31cbfcc97bb43257e7ab73f6a35e1",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9310,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9310\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9310\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9310\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9310\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9310\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_9310_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "64372e25f376bf1ddf0234b55a34dd31bc3a62c1",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9310"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
16067 · HTTP
|
http
|
Sonde port 16067/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
16067
Chemin / cible
/
Preuve honeypot — Sonde port 16067/TCP
Connexion détectée sur le port 16067 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_16067_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:16067
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:16067 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "5d6f33933277d4f39a350a7a214f49ed3fcb196f",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.116325852681951,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 16067,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "a18aeedfd52ddfcb54520f3d06c493e444e55153",
"event_fingerprint": "ba9d077b8bdb2ee83c2aa6c224025793e39e4153",
"classification_reason": "Type \u00ab port_16067_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "b9a0a36728913a69b8b766b538008c5e",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 16067,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16067\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16067\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16067\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16067\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16067\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_16067_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "88376a925946ecee7372e34cc5464d9e63f4cdf0",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "16067"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
13000 · HTTP
|
http
|
Sonde port 13000/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
13000
Chemin / cible
/
Preuve honeypot — Sonde port 13000/TCP
Connexion détectée sur le port 13000 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_13000_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:13000
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:13000 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "e8a3450f69b9e0b6cdcc83e7f77fd97aadd4bf70",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.083300322258322,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 13000,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 3.2,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "1ecd0097f0939ec9f5d8eb02f56923eeda973dd9",
"event_fingerprint": "b548ff16101cb1d34928589f2503ef01939fa7b9",
"classification_reason": "Type \u00ab port_13000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "0c67f6d5420de8f8b20561176c22cd05",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 13000,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:13000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:13000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:13000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:13000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:13000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_13000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "58419b0c4cb127eeb31b55e0e020cf47df5f53b9",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "13000"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
10225 · HTTP
|
http
|
Sonde port 10225/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
10225
Chemin / cible
/
Preuve honeypot — Sonde port 10225/TCP
Connexion détectée sur le port 10225 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_10225_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:10225
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:10225 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "3572879157116d1203d2d2b42da462d8b7bc5435",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.083300322258322,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 10225,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "cbefa553c9e42f36e6b0331e9b8c3c9f90958c0f",
"event_fingerprint": "f8a8f29888d606e5cc2b4d1c8263214536078a2e",
"classification_reason": "Type \u00ab port_10225_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "ae6fad2d04c630baf1cc7e7125cf2e14",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 10225,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10225\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10225\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10225\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10225\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10225\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_10225_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2cbfafc535e387c471bd8f0fcc7bd0e2c3c5fb82",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "10225"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
2082 · HTTP
|
http
|
Sonde port 2082/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2082
Chemin / cible
/
Preuve honeypot — Sonde port 2082/TCP
Connexion détectée sur le port 2082 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_2082_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:2082
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:2082 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "4319c7ade0bba7afb97efbb687810dc600e3e05b",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.096695022478339,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 2082,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 30
},
"risk_score": 38,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "1554eaffb76a70909eb91dad2ec6ed3797227487",
"event_fingerprint": "599c0f1c4d7c64d6bc8183d5c7b712a0254b9c6c",
"classification_reason": "Type \u00ab port_2082_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 30,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "ec54c579dc7d7a18e2fa655225738188",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 2082,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_2082_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "534646e2b0a26720ec1f8dc07029f41b4a3c8ff7",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "2082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9143 · HTTP
|
http
|
Sonde port 9143/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9143
Chemin / cible
/
Preuve honeypot — Sonde port 9143/TCP
Connexion détectée sur le port 9143 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_9143_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9143
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9143 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "cfadb3ad2cd3dcf38644f26fee12b30f0d345c37",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.113751358065142,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 9143,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "d44124f59b8bf2b012cd0d8a733a2688bfca3596",
"event_fingerprint": "76df3f65d1d0dc21028953cfc3c3f1ff1db9cea1",
"classification_reason": "Type \u00ab port_9143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "0b910532d525f8d1931cf9011a9f1d0b",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9143,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9143\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9143\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9143\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9143\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9143\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_9143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3776bab1b44f760cae0052d9edda6aa70da70fbd",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9143"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
4117 · HTTP
|
http
|
Sonde port 4117/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
4117
Chemin / cible
/
Preuve honeypot — Sonde port 4117/TCP
Connexion détectée sur le port 4117 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_4117_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:4117
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:4117 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "d39b2493002909cd53220d11e7bb03c780cf4070",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.116248125028156,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 4117,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "6c1c5949beb3969858028a621175744cf7f6f358",
"event_fingerprint": "7a359ac735c9b72a92d28c975535f7edf4eb490d",
"classification_reason": "Type \u00ab port_4117_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "0f39ba4991418c7441f57586f29316cf",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 4117,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4117\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4117\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4117\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4117\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4117\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_4117_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5fa3ebd6e261570ce2acf87fbee13d57fd8f9f8c",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "4117"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9916 · HTTP
|
http
|
Sonde port 9916/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9916
Chemin / cible
/
Preuve honeypot — Sonde port 9916/TCP
Connexion détectée sur le port 9916 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_9916_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9916
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9916 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "92ac5cb9d2ad6888c5a6a56d64f3d26c0149644d",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.111077662684571,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 9916,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.7,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "e62e3db6a48d809e55ef1dab8bfe03260cfc3442",
"event_fingerprint": "e7ed11e5ae46899f172dfcedd6b39d90e881c855",
"classification_reason": "Type \u00ab port_9916_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "a4a38b59ac66ab304c51a60e290cd8e4",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9916,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9916\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9916\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9916\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9916\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9916\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_9916_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "18d49d0ca224368963c4743ffb247c6cc0a25878",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9916"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8153 · HTTP
|
http
|
Sonde port 8153/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8153
Chemin / cible
/
Preuve honeypot — Sonde port 8153/TCP
Connexion détectée sur le port 8153 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8153_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8153
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8153 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "7eb324e9e3cb43552d68631d595d0cb9c0b125e8",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.094882265584569,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 8153,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "7accebb69973eabef5dfa60032827c1a7c02b029",
"event_fingerprint": "2049ca7a19c655830fe4ccde79c1564dc49e9a42",
"classification_reason": "Type \u00ab port_8153_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "f8f41b5ff839313c9a7567e8012d1294",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8153,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8153\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8153\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8153\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8153\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8153\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_8153_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "29f3b0ccc1f4245e69f18095abcd582f5a78509d",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8153"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9168 · HTTP
|
http
|
Sonde port 9168/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9168
Chemin / cible
/
Preuve honeypot — Sonde port 9168/TCP
Connexion détectée sur le port 9168 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_9168_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9168
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9168 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "fa1a5fedd591fea5fe4d2c9af2a67fdca7cd4620",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.124776292821557,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 9168,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "7754045dad9de0253b25cf4974f3518692cc9be3",
"event_fingerprint": "8542ce9175c7a3a86169a93d11300eaefb704167",
"classification_reason": "Type \u00ab port_9168_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "ed2c639ce889e4fa0d97d6cbde325f57",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9168,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9168\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9168\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9168\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9168\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9168\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_9168_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "26fb836982b2311debce44e69f1cc948a3a1ab2d",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9168"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
11434 · HTTP
|
http
|
Sonde port 11434/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
11434
Chemin / cible
/
Preuve honeypot — Sonde port 11434/TCP
Connexion détectée sur le port 11434 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_11434_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:11434
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:11434 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "0edcf6ab7022a3c1a90b1ad0670bd95a56782eca",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.102041053565556,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 11434,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 30
},
"risk_score": 38,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "b0157be0baca064e776b5b6bdd864e952ca90825",
"event_fingerprint": "d5e0a124b6c8c88b138ac370b20015015eca08b8",
"classification_reason": "Type \u00ab port_11434_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 30,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "1ae0550ea4df6d39ff90714712738261",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 11434,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11434\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11434\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11434\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11434\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11434\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_11434_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a73e5f3c228f58d2eac358e2289995e8cb831774",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "11434"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8641 · HTTP
|
http
|
Sonde port 8641/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8641
Chemin / cible
/
Preuve honeypot — Sonde port 8641/TCP
Connexion détectée sur le port 8641 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8641_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8641
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8641 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "56671cc85d5a4061be7c2993e4b1863c744dd40a",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.124776292821557,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 8641,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "fa90a2842376a518c12c9eff412ee76a30fea0f8",
"event_fingerprint": "43fe099caf575cf54054c64dfca7627b537a553a",
"classification_reason": "Type \u00ab port_8641_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "a32bf9f58716e19e3357e864a4a95edd",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8641,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8641\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8641\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8641\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8641\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8641\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_8641_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f1354bde3491d82e1df7443804198f65a2eba278",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8641"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
30007 · HTTP
|
http
|
Sonde port 30007/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
30007
Chemin / cible
/
Preuve honeypot — Sonde port 30007/TCP
Connexion détectée sur le port 30007 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_30007_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:30007
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:30007 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "e32e5643561736fcba0fb96a85573bcabcfee8e5",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.102041053565556,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 30007,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "4a844f5d0f1dc9eb21a0fe8d223783806812b46e",
"event_fingerprint": "2daf66637d77eae540a4dff40b2a5789568d6538",
"classification_reason": "Type \u00ab port_30007_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "4241c99619062faedd54b5a8644b338f",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 30007,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30007\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30007\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30007\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30007\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30007\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_30007_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ab4253524659b1183ac6bab4e0ac8e00e1fe4bc0",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "30007"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8104 · HTTP
|
http
|
Sonde port 8104/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8104
Chemin / cible
/
Preuve honeypot — Sonde port 8104/TCP
Connexion détectée sur le port 8104 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8104_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8104
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8104 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "14b4fbd0ca7343e065b55f1e122368e45ec07bd5",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.124776292821557,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 8104,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "44b3038d30761ed7f367fdac7d690a20ad618596",
"event_fingerprint": "ed58e461f4d6a30cc2d6ca7475cf7c36b5e26282",
"classification_reason": "Type \u00ab port_8104_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "bd0059ba12a18e3397412b07098a58fd",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8104,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8104\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8104\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8104\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8104\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8104\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_8104_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1df888f25632b6f1d6b256cb05cdb5624a3f95ec",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8104"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
32303 · HTTP
|
http
|
Sonde port 32303/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
32303
Chemin / cible
/
Preuve honeypot — Sonde port 32303/TCP
Connexion détectée sur le port 32303 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_32303_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:32303
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:32303 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "cc431c75c0969aa0f33767321c163f24c201af21",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.066075363240366,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 32303,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 1.6,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "f8bd2a56537590d5e81a7e7a6a9d9d0ad6044e2a",
"event_fingerprint": "d0013316e0ca66637f13b24c001394b31fe62d86",
"classification_reason": "Type \u00ab port_32303_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "fb4bee638dc3fdd027cdea7b226a5c92",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 32303,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:32303\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:32303\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:32303\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:32303\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:32303\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_32303_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f5508d64844c41124d895a8d8912f4c0f75dcd3e",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "32303"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
7071 · HTTP
|
http
|
Sonde port 7071/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
7071
Chemin / cible
/
Preuve honeypot — Sonde port 7071/TCP
Connexion détectée sur le port 7071 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_7071_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:7071
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:7071 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "42808972b6fbbcaf5927ead490161ad0114b2f1a",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.111077662684571,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 7071,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 1.9,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "3d41f09082ab685c231c6e3da9c67fb1b373ae48",
"event_fingerprint": "c39ea9fcbcda7f2c60c45ff4287cbc724295477d",
"classification_reason": "Type \u00ab port_7071_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "3481494b4246979e4247306130efadb7",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 7071,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7071\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7071\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7071\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7071\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7071\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_7071_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c827f3abb193c2d5357af8fc60714bf584bfe9b6",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7071"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9458 · HTTP
|
http
|
Sonde port 9458/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9458
Chemin / cible
/
Preuve honeypot — Sonde port 9458/TCP
Connexion détectée sur le port 9458 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_9458_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9458
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9458 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "34b6680562cdb7b5052d79401cdb6d5438d54271",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.138474922958543,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 9458,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 1.9,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "23d9af6772126809bfca43e1fbeaae0c50a7a18e",
"event_fingerprint": "42bd8f3ed8162619406b04792e59bbd11808af3a",
"classification_reason": "Type \u00ab port_9458_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "97f057104f8aefd641bd7dadc11ebd76",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9458,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9458\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9458\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9458\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9458\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9458\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_9458_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "84bc2153ce56d3a9405f8c60bfc1ceb919bb73ea",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9458"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
4461 · HTTP
|
http
|
Sonde port 4461/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
4461
Chemin / cible
/
Preuve honeypot — Sonde port 4461/TCP
Connexion détectée sur le port 4461 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_4461_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:4461
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:4461 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "7bbc55f25873cf30713b2ac2ed9a922eae85daaa",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.111077662684571,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 4461,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "c2102e34ed8f1f7909a1d4ab12da3e9321ffd4aa",
"event_fingerprint": "dec916d3ae1f3aa09d3f11eaf9886e6c1753dc9e",
"classification_reason": "Type \u00ab port_4461_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "6a4e24fd7afc3a4fe9a45a6091d8673e",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 4461,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4461\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4461\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4461\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4461\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4461\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_4461_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9287836a0ef2d0a8cb5ae47bad3aee444b472c8b",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "4461"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "probe",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
19071 · HTTP
|
http
|
Sonde port 19071/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
19071
Chemin / cible
/
Preuve honeypot — Sonde port 19071/TCP
Connexion détectée sur le port 19071 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_19071_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:19071
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:19071 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "044bcf67eda652a84eea2cd81bf21c97643800fe",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.126596430942677,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 19071,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 2.4,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "047f758a18ca0a88b8497385fc5362e466e411a6",
"event_fingerprint": "478af53560eff61b43996d40f2162c495d399eec",
"classification_reason": "Type \u00ab port_19071_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "806fa24039ee16b8c5541036052ddcf5",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 19071,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19071\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19071\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19071\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19071\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19071\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_19071_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "01fc4a8e2c7f63b13c3e825633cbaf3cfcabc6c2",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "19071"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "probe",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8580 · HTTP
|
http
|
Sonde port 8580/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8580
Chemin / cible
/
Preuve honeypot — Sonde port 8580/TCP
Connexion détectée sur le port 8580 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8580_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8580
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8580 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "3b92dcf65d37a1ed69493055c6ff03c3ac0cf448",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.111077662684571,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 8580,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "5451f58b76032c9661d6f64a2cfcdd4fdf58518c",
"event_fingerprint": "42be0961ce385e1c2e79ba55b76894a981853e9f",
"classification_reason": "Type \u00ab port_8580_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "b8427c32b69e66d0018ccbbeccf57c55",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8580,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8580\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8580\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8580\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8580\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8580\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_8580_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "92ebb6438dc99e4f2c3b7719e9b02cb5c2378a28",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8580"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "probe",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8061 · HTTP
|
http
|
Sonde port 8061/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8061
Chemin / cible
/
Preuve honeypot — Sonde port 8061/TCP
Connexion détectée sur le port 8061 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8061_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8061
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8061 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "b9ffd028be40ebc703de87fb21296f36452dad0d",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.111077662684571,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 8061,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 1.6,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "2c9f389767ca6d3a923917ab339d8b3e23fb17c6",
"event_fingerprint": "77fdd3504fd972d8bf900fe2de48e390835d306c",
"classification_reason": "Type \u00ab port_8061_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "93f2947802d7bb8f2d6454564e22326a",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8061,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8061\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8061\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8061\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8061\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8061\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_8061_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b259d373d3145019312c601d6bf6b62497aa4e4b",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8061"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "probe",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
21 · FTP
|
ftp
|
Sonde port 21/TCP
|
Élevée
|
Moyen · 40
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
ftp_auth_attempt
ftp_auth_probe
ftp_emulated
net_ftp_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
21
Chemin / cible
—
Preuve honeypot — Sonde port 21/TCP
Connexion détectée sur le port 21 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_21_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
USER anonymous
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f7420465450205365727665722072656164792e0d0a3333312050617373776f726420726571756972656420666f7220757365722e0d0a",
"emulator_response_len": 65,
"bytes_in": 16,
"payload_entropy": 3.75,
"port_category": "well_known",
"org": "Google LLC",
"service": "ftp",
"app_proto": "ftp",
"asn": 396982,
"country": "BE",
"dst_port": 21,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 10,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 10
},
"risk_score": 40,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "e566a551dace5ca775e068b072341a2eed7d5f94",
"event_fingerprint": "07fdc90e0dd65f1bc1a6bace3f4b4df61a0c8659",
"classification_reason": "Type \u00ab port_21_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 10,
"risk_score": 40
},
"named_classification_skipped": true,
"named_candidate": "ftp_probe",
"service_name": "ftp",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0d14e8dd95e3e871a180c82e1bc78157",
"path_pattern_hash": "859ddb95f048d27beffd6a8201284af6"
},
"target_context": {
"dst_port": 21,
"service": "ftp",
"service_name": "ftp",
"risk_score": 40
},
"payload_preview": "USER anonymous\r\n",
"request_sample": "USER anonymous\r\n",
"payload_snippet": "USER anonymous",
"evidence": {
"request_sample": "USER anonymous\r\n",
"payload_snippet": "USER anonymous",
"classification_reason": "Type \u00ab port_21_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "fd67ea85a100e25909ca933f5eff9c9f54640310",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ftp",
"service_banner": "honeypot-ftp",
"service_os": "linux",
"dst_port": "21"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "probe",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"ftp_auth_attempt",
"ftp_auth_probe",
"ftp_emulated",
"net_ftp_probe",
"pop3_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
21 · FTP
|
ftp
|
Sonde port 21/TCP
|
Élevée
|
Moyen · 40
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
ftp_emulated
net_ftp_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
21
Chemin / cible
—
Preuve honeypot — Sonde port 21/TCP
Connexion détectée sur le port 21 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_21_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f7420465450205365727665722072656164792e0d0a",
"emulator_response_len": 32,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "ftp",
"app_proto": "ftp",
"asn": 396982,
"country": "BE",
"dst_port": 21,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 40,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "0e3137812f19bf14aa1acaa110935b990e3b112f",
"event_fingerprint": "07fdc90e0dd65f1bc1a6bace3f4b4df61a0c8659",
"classification_reason": "Type \u00ab port_21_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 40
},
"named_classification_skipped": true,
"named_candidate": "ftp_probe",
"service_name": "ftp",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "859ddb95f048d27beffd6a8201284af6"
},
"target_context": {
"dst_port": 21,
"service": "ftp",
"service_name": "ftp",
"risk_score": 40
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "aef850f2f0f56e7728957dd601186b911e4bde66",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ftp",
"service_banner": "honeypot-ftp",
"service_os": "linux",
"dst_port": "21"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "probe",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"ftp_emulated",
"net_ftp_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
3124
|
http
|
Scan de ports
|
Élevée
|
Moyen · 43
|
|
Étape
Reconnaissance
MITRE
TA0043
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
3124
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:3124
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:3124 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "73a42f4ef08f897130d197d58785235b3e7b4d3a",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.091524560134753,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 3124,
"risk_waf": 32,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 32,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 43,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "07fce312f2c1eae36efa9080398f1aa79866e363",
"event_fingerprint": "37379428c64c16f757bb3f81cff5209de9290607",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 171,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "261a11d9c42e8aa62132d3ca29542caf",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 3124,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3124\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3124\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3124\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3124\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3124\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "287c14660749c8dfa45f3c29dbb96fa827f413f9",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9734
|
http
|
Scanner web
|
Élevée
|
Faible · 18
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9734
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9734
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9734 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "ab000da41d225e778a7e36031f94d512529b9cad",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.132620450545713,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 9734,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 18,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "3aa314ce417e2b5c267529a5d7f0b1990c134a00",
"event_fingerprint": "7530450273e11bfa950674904d698ca091a68c8e",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "70e19edf61ff4edc6a4500c09984ceef",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9734,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9734\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9734\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9734\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9734\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9734\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "25878ddc7f43116b85901aab305a7a58e06be9f7",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8001
|
http
|
Scanner web
|
Élevée
|
Faible · 19
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8001
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8001
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8001 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "29d114ae8a3567c5f1863f5bd79c5d398a432fe8",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.105907200340986,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 8001,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 1.9,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 19,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "6bca3549b67d73330b4c72b41c2c80960f093e08",
"event_fingerprint": "678d926e98c4c6c06c358f11fdcb1b1513183571",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "e13de1c7cf4236bdbc289a15c666a199",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8001,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8001\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8001\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8001\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8001\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8001\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "36fd58a3dbe78858d60738d5360ea0f8f2d0cb56",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9052
|
http
|
Scanner web
|
Élevée
|
Faible · 18
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9052
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9052
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9052 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "1561b9d50d28a4fdc0f3044228822e0ade1f4f9c",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.1025494948911705,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 9052,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 18,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "95ecd08512803b9519a5ae13946844bb88e83fc8",
"event_fingerprint": "cdc059a534507fa6cba14e993bb41418b265b298",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "f13004d44f64f91f9729f9b36df55842",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9052,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9052\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9052\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9052\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9052\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9052\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "930c6111aa3ed683bf3076c9b617aa1ddf8cd4de",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
11602
|
http
|
Scan de ports
|
Élevée
|
Moyen · 41
|
|
Étape
Reconnaissance
MITRE
TA0043
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
11602
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:11602
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:11602 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "bcb0e4f85c0cc84559eec8a45a08e82505aabb09",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.0909153935424305,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 11602,
"risk_waf": 32,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 32,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 41,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "5cf5ec50ef32b3347c1c78b0d16db43517b761eb",
"event_fingerprint": "9ea19d8e5b55b0711962fdf909e7183c85727412",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 171,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "95b3a8f147649bcc6f3e12c11f316f1a",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 11602,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11602\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11602\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11602\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11602\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11602\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "cec4d865bbae3605ec527f99d050f932cbdb4d3d",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5544
|
http
|
Scanner web
|
Élevée
|
Faible · 22
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5544
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:5544
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:5544 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "19e63a993689bb56ea72b2c7f4827f2d25bcb6d8",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.1025494948911705,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 5544,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 22,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "f0c9312cccc05918b608e352c970e54ea9a46a91",
"event_fingerprint": "ac9fe00e88b3c00e9a8df1eda168b010b7fdc469",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "db0a91188f4815e360ea22c52882d0fe",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 5544,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5544\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5544\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5544\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5544\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5544\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "891a585ee65fc0de8acbb14d9a8c2e99e892c3fe",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
18040
|
http
|
Scanner web
|
Élevée
|
Faible · 23
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
18040
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:18040
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:18040 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "73af191af5c8170d88d93997830a6f1662dcaabf",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.129931294858822,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 18040,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 23,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "27a96a5b55f27a9940702e617ff955df64eb02f3",
"event_fingerprint": "05a740567e49fe5f6da4c8688c02ee043d55cad3",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "6a55b6e1750a71ed4bd479baaf2eecd9",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 18040,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18040\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18040\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18040\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18040\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18040\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ca0a4cd9f91b721bf284f8ff28ab8e2bb7452d50",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9203
|
http
|
Scanner web
|
Élevée
|
Faible · 23
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9203
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9203
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9203 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "e92b718328952eaf8116e79ea0ca2c3046d5ed14",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.096695022478339,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 9203,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.7,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 23,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "b38800619fffbed273ee47a6384dee6efcb104ce",
"event_fingerprint": "32ba9cea60c2bb1871ecdd754cd417adb5a19c03",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "ee7f03848cf2d56e2f52772f4003bf6d",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9203,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9203\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9203\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9203\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9203\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9203\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d2ab7248b5b1d4fa5b3a6bcf1a1b547c978589e0",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
21295
|
http
|
Scanner web
|
Élevée
|
Faible · 23
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
21295
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:21295
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:21295 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "dbce70e99d0886abaa2f35d49652c82b2bc592ac",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.096905764435193,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 21295,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 23,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "cc431bd8f6140512191ee57455cb2260e37b9afc",
"event_fingerprint": "468b331a15adaebcd276811371bd40171b30f678",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "8a019b8374008875cb51acc097e926e3",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 21295,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21295\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21295\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21295\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21295\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21295\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0d22a0f058ce16dc480b9c230e4933b33d729ec3",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
4430
|
http
|
Scanner web
|
Élevée
|
Faible · 23
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
4430
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:4430
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:4430 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "9a80722c9efb5e5f2d11f77cb62c3d71cfc23a94",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.105223190271739,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 4430,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 23,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "6c476b0089c48a3f5eb88bedd7e13cf1eae16ab3",
"event_fingerprint": "a1018877d5f2deb027a7e6816139833da4fe61d2",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "47f9320c5fca0f983794c0a6342d86ad",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 4430,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4430\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4430\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4430\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4430\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4430\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bbec326a4cd62e5b22e0de8486213985309f8a4c",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
7015
|
http
|
Scanner web
|
Élevée
|
Faible · 20
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
7015
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:7015
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:7015 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "d3843d756b46aca6a40bbf9aa339073597f2c48b",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.105907200340986,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 7015,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 20,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "f6eda61812eccec5abcd9c03c8e39386b1478f99",
"event_fingerprint": "a8b5ec52257d55e27fb224fa7a6e0fc2286a839f",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "0e60a0cb1f22129cecf8689e0eaf9d05",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 7015,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7015\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7015\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7015\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7015\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7015\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "49b38f98833e94d9fd616301b7efdd416f28ff8b",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9029
|
http
|
Scanner web
|
Élevée
|
Faible · 20
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9029
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9029
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9029 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "21f12baf8279a9b0ed333d7b2961b9fa4d3098d2",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.107719957234756,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 9029,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 20,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "fb398c422303c653098947daf12fd22ae61a86ee",
"event_fingerprint": "f7f6e556ae48c031cc0b0167461064117d12fc64",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "8b1ee41133a8706b02e9ca85300ebbbc",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9029,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9029\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9029\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9029\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9029\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9029\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "22d907d6999505d41d4b1a0de81b8f6057ff3470",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
6500
|
http
|
Scanner web
|
Élevée
|
Faible · 22
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
6500
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:6500
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:6500 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "f426b29060c6b68e9bc1e6f7d90504b527fa4ee2",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.092208570204,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 6500,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 4.8,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 22,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "737a8f68f9867d2916283f1ab2a1120f15725c89",
"event_fingerprint": "307d7d3adc568e1fc55988c77100c0f96b37d936",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "5a1a16fc292023119ea766bd9f5e0f49",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 6500,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6500\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6500\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6500\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6500\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6500\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "166edd91d660bebf7717dd325269afb96f39ec7e",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
3187
|
http
|
Scanner web
|
Élevée
|
Faible · 22
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
3187
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:3187
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:3187 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "a9cd2b339e44f0bc47843105caf9187258cea729",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.113751358065142,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 3187,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 22,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "2a1841cedf13321504bcd88435a2ea0567e47c2f",
"event_fingerprint": "c72289375eda39b09b20d2cd49e8f63b1d0fc389",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "d97e713f660963ed1b89d504415c0779",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 3187,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3187\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3187\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3187\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3187\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3187\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1c629756606de5cad8800258e16984d5378e9ffa",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9082
|
http
|
Scanner web
|
Élevée
|
Faible · 23
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9082
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9082
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9082 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "0fe40ab70afe675223d923f1cb4a4eb33854af7a",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.121418587371742,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 9082,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 23,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "414119e58a10b16d507f63953d201f915322c0b9",
"event_fingerprint": "2e38907e79c656013ee36456a9f6870118c4c25b",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "5e00e103173ff3367cdfa8a1eae2cbf9",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9082,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5596a8d80335972f583f86e907a5aeaba3498121",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
7548
|
http
|
Scanner web
|
Élevée
|
Faible · 21
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
7548
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:7548
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:7548 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "7006d2fab4c6574a3ef90142360933edd3bc70f1",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.138474922958543,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 7548,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 21,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "ce01216b525520e7f18793f17938b7b751d6bac5",
"event_fingerprint": "9b94d6bd2aa30fb1abfaeaec70fb1aec2970b9cb",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "8b1e78a2653f53256028226cabe82003",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 7548,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7548\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7548\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7548\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7548\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7548\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8dfb54dca1aa61c2a95eca7c49e7efecfd6f7b2b",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5915
|
http
|
Scanner web
|
Élevée
|
Faible · 22
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5915
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:5915
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:5915 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "820fe5cc023afaee8b574050125cd074eff06e81",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.097379032547585,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 5915,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 22,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "6d17522ca7268761f5a8282c9086af82f8df5292",
"event_fingerprint": "41814a024a4b0c2155fb93a9f1ded689cc2e0048",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "e5c0337c30e057bbbc02a0c9e3801b44",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 5915,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5915\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5915\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5915\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5915\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5915\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a86c159d301b4f256353189157014017f2510582",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
8026
|
http
|
Scanner web
|
Élevée
|
Faible · 23
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8026
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8026
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8026 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "57242f4460496bd67f8e5ae46a85d48920b413ae",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.107719957234756,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 8026,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 23,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "f0a9db66a59ee6072c7669e023a72c53bc82c75c",
"event_fingerprint": "855851eef54a11211688f7c6422311582fb56c0c",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "a1a7f7479e7a4185670a1bd3fd8dd082",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8026,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8026\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8026\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8026\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8026\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8026\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "fa5189edf6271504ab2757fde91c128f35e48842",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
1198
|
http
|
Scanner web
|
Élevée
|
Faible · 21
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
1198
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:1198
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:1198 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "26450aad178c9aa62ba89db61de9cdafd128430c",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.116248125028156,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 1198,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 21,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "5231d1c9b9482debfc3f5d28ce3545f7e5928b3a",
"event_fingerprint": "e5ab8fe9603d6e93988632bcf2a2437eb918ebfe",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "285b9c570624cc401bde9dec51bfd854",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 1198,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1198\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1198\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1198\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1198\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1198\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dd512be359621271b8db617b28e9ae6c694c8319",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
88
|
http
|
Scanner web
|
Élevée
|
Faible · 22
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
88
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:88
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connection
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:88 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "3f53fd38a0b70842554ee03ec3c54d18c411dc66",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 144,
"payload_entropy": 5.095326672675844,
"port_category": "well_known",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 88,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 22,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "e7e7ad2975deeeb60b8751a994eb7763df052f98",
"event_fingerprint": "fa17b6f9ffc0a884fcc54ad25019036664306546",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "862c98f4f87aade808def214326da0d1",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 88,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b5e2894cd9923ddb647460efdbdd7542acdf05a0",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
3151
|
http
|
Scanner web
|
Élevée
|
Faible · 21
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
3151
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:3151
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:3151 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "540b739c7c0911920dd9cedfabd8b5632bffd65c",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.072655467654182,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 3151,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 21,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "81bdf7386179d325ca4a643f9d859234f8d09a5d",
"event_fingerprint": "ac86fb5f7796ebaa50415ced59e63d09e402c58a",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "7ac2efeaa3684955d298e323daa61c3f",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 3151,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3151\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3151\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3151\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3151\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3151\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d5e5daf0e815556d8a6fcfb593032017377cf5da",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
503
|
http
|
Scanner web
|
Élevée
|
Faible · 19
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
503
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:503
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connectio
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:503 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "3164cb471952e661e08421b8fbea7262dc8e811a",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 145,
"payload_entropy": 5.075725039539266,
"port_category": "well_known",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 503,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 19,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "745e0cc1b2ea14636086d942c09d9b0e0eba1dc8",
"event_fingerprint": "7de8725a93694dda8c5de1b17bb9e13829f123d9",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "801b70ac6dde7495447b910710c24a39",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 503,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:503\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnectio",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:503\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:503\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnectio",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:503\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:503\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnectio",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "94d7d95f06aeb9da832e15eae6b76011a5a1e8c7",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
3183
|
http
|
Scanner web
|
Élevée
|
Faible · 22
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
3183
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:3183
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:3183 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "06a10267a69be2e5133ce2450d99e61d4cb77ea3",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.0870381078604145,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 3183,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 4.8,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 22,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "3be4ab5a84c3f4a44d8c69bbdd860f4c81dae873",
"event_fingerprint": "733e17d9d666b1672a2cee26850c3b2d96565ff1",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "edcc13d29647274d0e7a6c92d85b94fc",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 3183,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3183\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3183\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3183\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3183\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3183\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0a7efeff5308a44cae70aded37964caf4d8cdfdc",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|