Renseignement sur les menaces

Brésil

35.198.18.110

FAI Google LLC Première vue 14/06/2026 15:21 UTC Dernière vue 14/06/2026 15:21 UTC Risque Critique

Période analysée : 2026-06-11 → 2026-06-18

Activité suspecte — risque 67/100 (Élevé) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Critique · Risque max (7j) Critique

Synthèse exécutive

Profil de menace

Score de risque 88/100 Critique

Première observation 14/06/2026 15:21 UTC

Dernière observation 14/06/2026 15:21 UTC

Événements (période) 854

MITRE ATT&CK principal TA0007 432 occurrences

Activité suspecte — risque 67/100 (Élevé) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_flood » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 92 · Bonus corrélation +8 · 3 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 35.198.16.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 854 événements sur la période pour cette IP.

162.216.149.38 Scanner web 18/06/2026 11:52 UTC
162.216.149.8 Scan vulnérabilités 18/06/2026 11:52 UTC
162.216.150.94 Scanner web 18/06/2026 11:49 UTC
162.216.150.75 Sonde PostgreSQL 18/06/2026 11:49 UTC
162.216.149.81 Scanner web 18/06/2026 11:48 UTC
35.203.211.195 Sonde PostgreSQL 18/06/2026 11:47 UTC
35.222.165.200 couchdb probe 18/06/2026 11:46 UTC
35.203.211.135 Scanner web 18/06/2026 11:45 UTC

Événements (filtres)

854

Première observation

14/06/2026 15:21 UTC

Dernière observation

14/06/2026 15:21 UTC

Dernière activité (filtres)

14/06/2026 15:21 UTC

Événements 7j

854

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

TLS TCP 427 HTTP TCP 427

TLS

427

HTTP

427

Géolocalisation

Origine réseau déclarée

Brésil unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 7373 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

http flood · via HTTP:7373 · (tentative d'exploit) · → /sendgrid-config.json

Détails protocole

Méthode: GET
Chemin: /sendgrid-config.json
User-Agent: Mozilla/5.0 (OS/2; U; OS/2; en-US) AppleWebKit/533.3 (KHTML, like Gecko) QupZilla/1.3.1 Safari/533.3

Aperçu payload

GET /sendgrid-config.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (OS/2; U; OS/2; en-US) AppleWebKit/533.3 (KHT

Port / service

7373 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 100 % — 3 tag(s) WAF

Technique MITRE

T1499

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1499

Confiance

100% Corrélation +8

Famille de menace

ddos

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

854 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

854 événement(s) — page 3/18

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /server/application.properties	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /server/application.properties UA Mozilla/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Bui… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /server/application.properties TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /server/application.properties Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /server/application.properties HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Build/R1AA056) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server/application.properties HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; U; Android 1.6; en-us; SonyE Requête brute (extrait) GET /server/application.properties HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Build/R1AA056) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Accept-Charset: utf-8 A Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "properties", "http_ua_hash": "81bf066f0e8b4121046beb1cd806204bd2d379f7", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "e433f4a25bea9c7091dd294797aba9f705b3a3fe", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 299, "payload_entropy": 5.3481561751408035, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 64, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bab03f20c37d1f7247a4f1b9166bd5390cc9877d", "event_fingerprint": "93df0ef561c08fc1c0d8f3dd4089e8ef0758c978", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5d11d0a23bb001075f37a6bd6babbf05", "payload_hash": "21575edebbd5144d1cb064197b970d59", "path_pattern_hash": "e3539cb3f1c980b2fa1f000afb7b6896" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/server\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyE", "method": "GET", "path": "\/server\/application.properties", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Build\/R1AA056) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/application.properties HTTP\/1.1", "request_sample": "GET \/server\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Build\/R1AA056) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nA", "payload_snippet": "GET \/server\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyE", "evidence": { "method": "GET", "path": "\/server\/application.properties", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Build\/R1AA056) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/application.properties HTTP\/1.1", "request_sample": "GET \/server\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Build\/R1AA056) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nA", "payload_snippet": "GET \/server\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyE", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0ba738cb583f8b243dd94a98651f7dc9ae8b2342", "protocol_details": { "http_method": "GET", "http_path": "\/server\/application.properties", "request_line": "GET \/server\/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Build\/R1AA056) AppleWebKit\/528.5 (KHTML, like Gecko) Versi\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyE", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/application.properties", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server\/application.properties", "request_line": "GET \/server\/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Build\/R1AA056) AppleWebKit\/528.5 (KHTML, like Gecko) Versi\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/application.properties", "evidence_snippet": "GET \/server\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyE", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /server/database.yml	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /server/database.yml UA Avant Browser/1.2.789rel1 (http://www.avantbrowser.com) Émulateur HTTP WAF 18 Recommandation Investiguer Tags 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /server/database.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /server/database.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Database YAML LFI Double-dot bypass Ligne de requête `GET /server/database.yml HTTP/1.1` User-Agent Avant Browser/1.2.789rel1 (http://www.avantbrowser.com) Règles WAF ssrf-3 nosqli-3 Payload (extrait) GET /server/database.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Avant Browser/1.2.789rel1 (http://www.avantbrowser.com) A Requête brute (extrait) GET /server/database.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Avant Browser/1.2.789rel1 (http://www.avantbrowser.com) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "d2252eb771e4eec88081691e9a7fe02000ef5b62", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "aa0f50eb579ffeade54de0b8a91905c499016135", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 194, "payload_entropy": 5.184564593902462, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 80, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 80, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f6a737420c77e9f4e79ac855d9e1a85425bad00f", "event_fingerprint": "d0051dc0152cd176dbf127c581e21128515487ae", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0474", "pat-0103" ], "matched_pattern_names": [ "Cred Database YAML", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0474", "pat-0103" ], "confidence_breakdown": { "waf": 80, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4944e79cd760319f0194b0c3c7e7e440", "payload_hash": "ba11450cf70cc9d2a3d07f67d9b9fd0c", "path_pattern_hash": "71d6b5c79d1b79d1d13caa0c134a8b3a" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/server\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Avant Browser\/1.2.789rel1 (http:\/\/www.avantbrowser.com)\r\nA", "method": "GET", "path": "\/server\/database.yml", "user_agent": "Avant Browser\/1.2.789rel1 (http:\/\/www.avantbrowser.com)", "waf_tags": [ "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "ssrf-3", "nosqli-3" ], "request_line": "GET \/server\/database.yml HTTP\/1.1", "request_sample": "GET \/server\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Avant Browser\/1.2.789rel1 (http:\/\/www.avantbrowser.com)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Avant Browser\/1.2.789rel1 (http:\/\/www.avantbrowser.com)\r\nA", "evidence": { "method": "GET", "path": "\/server\/database.yml", "user_agent": "Avant Browser\/1.2.789rel1 (http:\/\/www.avantbrowser.com)", "waf_tags": [ "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "ssrf-3", "nosqli-3" ], "request_line": "GET \/server\/database.yml HTTP\/1.1", "request_sample": "GET \/server\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Avant Browser\/1.2.789rel1 (http:\/\/www.avantbrowser.com)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Avant Browser\/1.2.789rel1 (http:\/\/www.avantbrowser.com)\r\nA", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9de867189b2ca783fc34658c76a04eeac3838c64", "protocol_details": { "http_method": "GET", "http_path": "\/server\/database.yml", "request_line": "GET \/server\/database.yml HTTP\/1.1", "http_user_agent": "Avant Browser\/1.2.789rel1 (http:\/\/www.avantbrowser.com)", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Avant Browser\/1.2.789rel1 (http:\/\/www.avantbrowser.com)\r\nA", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/database.yml", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 80, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server\/database.yml", "request_line": "GET \/server\/database.yml HTTP\/1.1", "http_user_agent": "Avant Browser\/1.2.789rel1 (http:\/\/www.avantbrowser.com)", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/database.yml", "evidence_snippet": "GET \/server\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Avant Browser\/1.2.789rel1 (http:\/\/www.avantbrowser.com)\r\nA", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 80 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:7373 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7373 Chemin / cible — Service TLS Payload ��4)"�~��=5��R�&�\圥QwR�@7 )A� �\|�%0�JY�S$#�W��_8��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��4)"�~��=5��R�&�\圥QwR�@7 )A� �\|�%0�JY�S$#�W��_8��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��4)"�~��=5��R�&�\圥QwR�@7 )A� �\|�%0�JY�S$#�W��_8��&�+�/�,�0̨̩� �� /5� w �+3&$ �)n�ҮvQ8_��;^qjS�O@�,��WYW� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.849528454819202, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8aa0986985b15fad944749be675067b127bd5dfd", "event_fingerprint": "80ae7b245ee692f04eaae628590d47ffc7bce516", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "a7f4d6b185e041765a94532dde1937f0", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7373, "service": "tls", "service_name": "tls", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd4)\u0017\u0010\"\ufffd~\ufffd\u001e\ufffd\ufffd\ufffd=5\ufffd\ufffdR\ufffd&\ufffd\\\u5725QwR\ufffd@7 )A\ufffd\t\ufffd\|\ufffd%0\ufffdJY\u0005\u0013\ufffdS$#\ufffdW\u0006\ufffd\ufffd_\u001c8\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd4)\u0017\u0010\"\ufffd~\ufffd\u001e\ufffd\ufffd\ufffd=5\ufffd\ufffdR\ufffd&\ufffd\\\u5725QwR\ufffd@7 )A\ufffd\t\ufffd\|\ufffd%0\ufffdJY\u0005\u0013\ufffdS$#\ufffdW\u0006\ufffd\ufffd_\u001c8\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd)n\ufffd\u0011\u04aevQ8_\ufffd\ufffd;^\u001fqjS\ufffdO@\u0017\ufffd,\ufffd\ufffdWYW\ufffd\u0010", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd4)\u0017\u0010\"\ufffd~\ufffd\u001e\ufffd\ufffd\ufffd=5\ufffd\ufffdR\ufffd&\ufffd\\\u5725QwR\ufffd@7 )A\ufffd\t\ufffd\|\ufffd%0\ufffdJY\u0005\u0013\ufffdS$#\ufffdW\u0006\ufffd\ufffd_\u001c8\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0997c9ac6b4d1906217d2274afb7c97e3a22a68e", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd4)\u0017\u0010\"\ufffd~\ufffd\u001e\ufffd\ufffd\ufffd=5\ufffd\ufffdR\ufffd&\ufffd\\\u5725QwR\ufffd@7 )A\ufffd\t\ufffd\|\ufffd%0\ufffdJY\u0005\u0013\ufffdS$#\ufffdW\u0006\ufffd\ufffd_\u001c8\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd4)\"\ufffd~\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffdR\ufffd&\ufffd\\\u5725QwR\ufffd@7 )A\ufffd\t\ufffd\|\ufffd%0\ufffdJY\ufffdS$#\ufffdW\ufffd\ufffd_8\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd4)\u0017\u0010\"\ufffd~\ufffd\u001e\ufffd\ufffd\ufffd=5\ufffd\ufffdR\ufffd&\ufffd\\\u5725QwR\ufffd@7 )A\ufffd\t\ufffd\|\ufffd%0\ufffdJY\u0005\u0013\ufffdS$#\ufffdW\u0006\ufffd\ufffd_\u001c8\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd4)\"\ufffd~\ufffd\ufffd\ufffd\ufffd=5\ufffd\ufffdR\ufffd&\ufffd\\\u5725QwR\ufffd@7 )A\ufffd\t\ufffd\|\ufffd%0\ufffdJY\ufffdS$#\ufffdW\ufffd\ufffd_8\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /server/settings.json	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /server/settings.json UA Mozilla/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko/20110623 Firefo… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /server/settings.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /server/settings.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /server/settings.json HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko/20110623 Firefox/7.0a1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server/settings.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko/20110623 Requête brute (extrait) GET /server/settings.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko/20110623 Firefox/7.0a1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "f2cf947415e0bd8251985704bb970663da1b2f75", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "828cdcc902d2d0915012e1403580e3433895b5c7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 210, "payload_entropy": 5.314780735612159, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 64, "tag_count": 4, "anomaly_count": 0, "campaign_key": "05f3bd052b9cff3160d287bf5c585185b75cabc0", "event_fingerprint": "c3caa8cc1f993689b1a615f8458960729b139e9c", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a69a41ab5095e3c9fb109b0603116ced", "payload_hash": "de493e383ddc0f280a6f33fd5b1975bf", "path_pattern_hash": "28fba90884643b291ca8ed06bf04078f" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/server\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110623 ", "method": "GET", "path": "\/server\/settings.json", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110623 Firefox\/7.0a1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/settings.json HTTP\/1.1", "request_sample": "GET \/server\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110623 Firefox\/7.0a1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110623", "evidence": { "method": "GET", "path": "\/server\/settings.json", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110623 Firefox\/7.0a1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/settings.json HTTP\/1.1", "request_sample": "GET \/server\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110623 Firefox\/7.0a1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110623", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "44bd87ed4a8bb9ef2961472f2c87bc55129246ea", "protocol_details": { "http_method": "GET", "http_path": "\/server\/settings.json", "request_line": "GET \/server\/settings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110623 Firefox\/7.0a1", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110623", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/settings.json", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server\/settings.json", "request_line": "GET \/server\/settings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110623 Firefox\/7.0a1", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/settings.json", "evidence_snippet": "GET \/server\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:7.0a1) Gecko\/20110623", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:7373 · (tentative d'exploit) · → /config/database.yml	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /config/database.yml UA Opera/9.51 Beta (Microsoft Windows; PPC; Opera Mobi/1718; U; en) Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/database.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /config/database.yml Service HTTP Pourquoi cette classification : Type « credential_file_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux pat-0474 pat-0487 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Database YAML Cred Rails database credentials LFI Rails database.yml Ligne de requête `GET /config/database.yml HTTP/1.1` User-Agent Opera/9.51 Beta (Microsoft Windows; PPC; Opera Mobi/1718; U; en) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/database.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Opera/9.51 Beta (Microsoft Windows; PPC; Opera Mobi/1718; Requête brute (extrait) GET /config/database.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Opera/9.51 Beta (Microsoft Windows; PPC; Opera Mobi/1718; U; en) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "bf99bdb2df9ff411212cd16df810fd2e8cbe87e0", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "324166cb65153559217bf0708f5a6254e46c2733", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 203, "payload_entropy": 5.262727503222177, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3d15a1df9f3da072bc7217b5568d9304fd9d593e", "event_fingerprint": "fd30b5e843f37a3a2e891ddf92b2b74c0c4ef4ef", "classification_reason": "Type \u00ab credential_file_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 160, "precision_signals": [ "pat-0474", "pat-0487" ], "kb_rule_ids": [ "pat-0474", "pat-0487" ], "matched_patterns": [ "pat-0474", "pat-0487", "pat-0130" ], "matched_pattern_names": [ "Cred Database YAML", "Cred Rails database credentials", "LFI Rails database.yml" ], "pattern_ids": [ "pat-0474", "pat-0487", "pat-0130" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6eab20584148e65d2ebd8af763b95b4d", "payload_hash": "f57314a09658f79f77068ba66ccc66fa", "path_pattern_hash": "8e18067a263c70f5df57381290358eb6" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/config\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Opera\/9.51 Beta (Microsoft Windows; PPC; Opera Mobi\/1718; ", "method": "GET", "path": "\/config\/database.yml", "user_agent": "Opera\/9.51 Beta (Microsoft Windows; PPC; Opera Mobi\/1718; U; en)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/database.yml HTTP\/1.1", "request_sample": "GET \/config\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Opera\/9.51 Beta (Microsoft Windows; PPC; Opera Mobi\/1718; U; en)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Opera\/9.51 Beta (Microsoft Windows; PPC; Opera Mobi\/1718;", "evidence": { "method": "GET", "path": "\/config\/database.yml", "user_agent": "Opera\/9.51 Beta (Microsoft Windows; PPC; Opera Mobi\/1718; U; en)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/database.yml HTTP\/1.1", "request_sample": "GET \/config\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Opera\/9.51 Beta (Microsoft Windows; PPC; Opera Mobi\/1718; U; en)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Opera\/9.51 Beta (Microsoft Windows; PPC; Opera Mobi\/1718;", "classification_reason": "Type \u00ab credential_file_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "34ff76314056fa50b28c4c01ea874eb68cfbe779", "protocol_details": { "http_method": "GET", "http_path": "\/config\/database.yml", "request_line": "GET \/config\/database.yml HTTP\/1.1", "http_user_agent": "Opera\/9.51 Beta (Microsoft Windows; PPC; Opera Mobi\/1718; U; en)", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Opera\/9.51 Beta (Microsoft Windows; PPC; Opera Mobi\/1718;", "attack_vector": "credential file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/database.yml", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab credential_file_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab credential_file_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "pat-0474", "pat-0487" ], "tags_summary_labels_fr": [ "pat-0474", "pat-0487" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/database.yml", "request_line": "GET \/config\/database.yml HTTP\/1.1", "http_user_agent": "Opera\/9.51 Beta (Microsoft Windows; PPC; Opera Mobi\/1718; U; en)", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/database.yml", "evidence_snippet": "GET \/config\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Opera\/9.51 Beta (Microsoft Windows; PPC; Opera Mobi\/1718;", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /config/config.yml	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/config.yml UA Mozilla/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/config.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /config/config.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/config.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/config.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit/537.36 Requête brute (extrait) GET /config/config.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "d5ddd104539bfa72865607edcd6b14ea1f2b8a4b", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "4b477b42944b87fd4e11e277a534d68f945d83fe", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.373877731338991, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3d15a1df9f3da072bc7217b5568d9304fd9d593e", "event_fingerprint": "83af9cb9f96525c523ec907ed523239e61b12afd", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7bd1161a9f3e5e848bd927daba3e4232", "payload_hash": "1796647e0be1712f9f7c3406f55bffaa", "path_pattern_hash": "5e7f381673d898357804d76b7becb05a" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 ", "method": "GET", "path": "\/config\/config.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/config.yml HTTP\/1.1", "request_sample": "GET \/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/config\/config.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/config.yml HTTP\/1.1", "request_sample": "GET \/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "138c7ae85dcb951d7aa43705cf5c386d61ebbbee", "protocol_details": { "http_method": "GET", "http_path": "\/config\/config.yml", "request_line": "GET \/config\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/config.yml", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/config.yml", "request_line": "GET \/config\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/config.yml", "evidence_snippet": "GET \/config\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /server/appsettings.json	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /server/appsettings.json UA Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /server/appsettings.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /server/appsettings.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred ASP.NET settings Ligne de requête `GET /server/appsettings.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server/appsettings.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/5 Requête brute (extrait) GET /server/appsettings.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: c Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "9f44694db042382b1894b9467bda9cec0203a128", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "c7b54c7590a4c4182f88d140c445e8a96b77c466", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 264, "payload_entropy": 5.36180542610243, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 64, "tag_count": 4, "anomaly_count": 0, "campaign_key": "05f3bd052b9cff3160d287bf5c585185b75cabc0", "event_fingerprint": "2c4c31b0cabc4d34474dcd59ceed360a8e5d3221", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0466" ], "matched_pattern_names": [ "Cred ASP.NET settings" ], "pattern_ids": [ "pat-0466" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "dfad63a0b311a8b1ad2a0387ee24907c", "payload_hash": "00ba34f200a2842ed5821b394ac85f16", "path_pattern_hash": "c34b3864659f22d384f06d606e8053e9" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/server\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/5", "method": "GET", "path": "\/server\/appsettings.json", "user_agent": "Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/appsettings.json HTTP\/1.1", "request_sample": "GET \/server\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/server\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/server\/appsettings.json", "user_agent": "Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/appsettings.json HTTP\/1.1", "request_sample": "GET \/server\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/server\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/5", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a27ecca1ca8c844b2a78235fa580b78d8fc867db", "protocol_details": { "http_method": "GET", "http_path": "\/server\/appsettings.json", "request_line": "GET \/server\/appsettings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/5", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/appsettings.json", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server\/appsettings.json", "request_line": "GET \/server\/appsettings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/appsettings.json", "evidence_snippet": "GET \/server\/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/5", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:7373 · (tentative d'exploit) · → /server/credentials.json	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /server/credentials.json UA Mozilla/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build/HUAWEI… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /server/credentials.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /server/credentials.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux pat-0472 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Credentials JSON Ligne de requête `GET /server/credentials.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build/HUAWEIPRA-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.13.0.1207 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server/credentials.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Bui Requête brute (extrait) GET /server/credentials.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build/HUAWEIPRA-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.13.0.1207 Mobile Safari/5 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "860913b61e46d7facc0ced91a573eef44a22f05d", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "0448476e8596bfb535234584ac471c02983c6fe7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 330, "payload_entropy": 5.5009028276884075, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 65, "tag_count": 4, "anomaly_count": 0, "campaign_key": "fbcb70275ea325d070811f85fb942e0a4141e611", "event_fingerprint": "685151611ca0cdf4dacaa40154652b368f1cc96c", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0472" ], "matched_pattern_names": [ "Cred Credentials JSON" ], "pattern_ids": [ "pat-0472" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "855dbe16b519013e705ccb640f8fde6a", "payload_hash": "c4541297eee4ea547fb3c7aaf6dc7b22", "path_pattern_hash": "017fc0dcd972a4e3aefd53875717b41b" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/server\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Bui", "method": "GET", "path": "\/server\/credentials.json", "user_agent": "Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build\/HUAWEIPRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 UCBrowser\/12.13.0.1207 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/credentials.json HTTP\/1.1", "request_sample": "GET \/server\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build\/HUAWEIPRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 UCBrowser\/12.13.0.1207 Mobile Safari\/5", "payload_snippet": "GET \/server\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Bui", "evidence": { "method": "GET", "path": "\/server\/credentials.json", "user_agent": "Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build\/HUAWEIPRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 UCBrowser\/12.13.0.1207 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/credentials.json HTTP\/1.1", "request_sample": "GET \/server\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build\/HUAWEIPRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 UCBrowser\/12.13.0.1207 Mobile Safari\/5", "payload_snippet": "GET \/server\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Bui", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "336a2a2e898086be8743146538cd0272900897f3", "protocol_details": { "http_method": "GET", "http_path": "\/server\/credentials.json", "request_line": "GET \/server\/credentials.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build\/HUAWEIPRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Bui", "attack_vector": "credential file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/credentials.json", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0472", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server\/credentials.json", "request_line": "GET \/server\/credentials.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build\/HUAWEIPRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/credentials.json", "evidence_snippet": "GET \/server\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Bui", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:7373 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7373 Chemin / cible — Service TLS Payload ��#�{�<�e�d�Hթ�ʶk��Z�\TͥP� u~�A�� q��9^��C��nZ\|&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��#�{�<�e�d�Hթ�ʶk��Z�\TͥP� u~�A�� q��9^��C��nZ\|&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��#�{�<�e�d�Hթ�ʶk��Z�\TͥP� u~�A�� q��9^��C��nZ\|&�+�/�,�0̨̩� �� /5� w �+3&$ (eD"3P��N[��Zl�!oK Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.879988900014492, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8aa0986985b15fad944749be675067b127bd5dfd", "event_fingerprint": "80ae7b245ee692f04eaae628590d47ffc7bce516", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "90f0ed996da40a124abc38fa66a45889", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7373, "service": "tls", "service_name": "tls", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003#\ufffd{\ufffd<\ufffd\u0014e\ufffdd\ufffdH\u0569\ufffd\u02b6k\ufffd\ufffd\ufffd\ufffdZ\ufffd\\T\u001a\u0365P\ufffd u~\ufffdA\u000f\b\ufffd\ufffd \ufffd\ufffdq\ufffd\u0090\u0005\ufffd9^\ufffd\ufffdC\ufffd\ufffd\ufffd\u0006\ufffd\ufffd\ufffdnZ\|\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003#\ufffd{\ufffd<\ufffd\u0014e\ufffdd\ufffdH\u0569\ufffd\u02b6k\ufffd\ufffd\ufffd\ufffdZ\ufffd\\T\u001a\u0365P\ufffd u~\ufffdA\u000f\b\ufffd\ufffd \ufffd\ufffdq\ufffd\u0090\u0005\ufffd9^\ufffd\ufffdC\ufffd\ufffd\ufffd\u0006\ufffd\ufffd\ufffdnZ\|\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 (eD\"3P\ufffd\u000f\ufffd\ufffdN[\ufffd\ufffd\ufffd\u0007\ufffd\u0016\ufffd\ufffd\ufffd\u0006\ufffdZl\ufffd\u000f\u0007!oK", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003#\ufffd{\ufffd<\ufffd\u0014e\ufffdd\ufffdH\u0569\ufffd\u02b6k\ufffd\ufffd\ufffd\ufffdZ\ufffd\\T\u001a\u0365P\ufffd u~\ufffdA\u000f\b\ufffd\ufffd \ufffd\ufffdq\ufffd\u0090\u0005\ufffd9^\ufffd\ufffdC\ufffd\ufffd\ufffd\u0006\ufffd\ufffd\ufffdnZ\|\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4037b31ef1dc6aa1eabeab0a95e50a174205d73d", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003#\ufffd{\ufffd<\ufffd\u0014e\ufffdd\ufffdH\u0569\ufffd\u02b6k\ufffd\ufffd\ufffd\ufffdZ\ufffd\\T\u001a\u0365P\ufffd u~\ufffdA\u000f\b\ufffd\ufffd \ufffd\ufffdq\ufffd\u0090\u0005\ufffd9^\ufffd\ufffdC\ufffd\ufffd\ufffd\u0006\ufffd\ufffd\ufffdnZ\|\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd#\ufffd{\ufffd<\ufffde\ufffdd\ufffdH\u0569\ufffd\u02b6k\ufffd\ufffd\ufffd\ufffdZ\ufffd\\T\u0365P\ufffd u~\ufffdA\ufffd\ufffd \ufffd\ufffdq\ufffd\u0090\ufffd9^\ufffd\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdnZ\|&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003#\ufffd{\ufffd<\ufffd\u0014e\ufffdd\ufffdH\u0569\ufffd\u02b6k\ufffd\ufffd\ufffd\ufffdZ\ufffd\\T\u001a\u0365P\ufffd u~\ufffdA\u000f\b\ufffd\ufffd \ufffd\ufffdq\ufffd\u0090\u0005\ufffd9^\ufffd\ufffdC\ufffd\ufffd\ufffd\u0006\ufffd\ufffd\ufffdnZ\|\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd#\ufffd{\ufffd<\ufffde\ufffdd\ufffdH\u0569\ufffd\u02b6k\ufffd\ufffd\ufffd\ufffdZ\ufffd\\T\u0365P\ufffd u~\ufffdA\ufffd\ufffd \ufffd\ufffdq\ufffd\u0090\ufffd9^\ufffd\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdnZ\|&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /server/application.yml	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /server/application.yml UA HTMLParser/1.6 Émulateur HTTP WAF 6 Recommandation Investiguer Tags 950468:nosqli-3 net_flood Cible HTTP GET /server/application.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /server/application.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /server/application.yml HTTP/1.1` User-Agent HTMLParser/1.6 Règles WAF nosqli-3 Payload (extrait) GET /server/application.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: HTMLParser/1.6 Accept-Charset: utf-8 Accept-Encoding: Requête brute (extrait) GET /server/application.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: HTMLParser/1.6 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "4795231a22fb3723ee7614729d2f174075c02b4d", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "1babc6c454a6fc42efeb454c80481032b2fa8f90", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 156, "payload_entropy": 5.118880086027321, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 32, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 2, "anomaly_count": 0, "campaign_key": "5f4e3aeb1abede7f105587d8c71b87ea89b43f87", "event_fingerprint": "2473c220a03912e351e2218505e430087212d463", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2d2b2f462df541a5583d5751faedf94b", "payload_hash": "da0f10b60029ecc4ad2501503c4d399b", "path_pattern_hash": "23f526d2ca37db6a43ced5d6a1fca46f" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/server\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: HTMLParser\/1.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "method": "GET", "path": "\/server\/application.yml", "user_agent": "HTMLParser\/1.6", "waf_tags": [ "950468:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/server\/application.yml HTTP\/1.1", "request_sample": "GET \/server\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: HTMLParser\/1.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: HTMLParser\/1.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "evidence": { "method": "GET", "path": "\/server\/application.yml", "user_agent": "HTMLParser\/1.6", "waf_tags": [ "950468:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/server\/application.yml HTTP\/1.1", "request_sample": "GET \/server\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: HTMLParser\/1.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: HTMLParser\/1.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "122146ccbefcf809a646583124d0baff0c47b15c", "protocol_details": { "http_method": "GET", "http_path": "\/server\/application.yml", "request_line": "GET \/server\/application.yml HTTP\/1.1", "http_user_agent": "HTMLParser\/1.6", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: HTMLParser\/1.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/application.yml", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server\/application.yml", "request_line": "GET \/server\/application.yml HTTP\/1.1", "http_user_agent": "HTMLParser\/1.6", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/application.yml", "evidence_snippet": "GET \/server\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: HTMLParser\/1.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /config/settings.json	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/settings.json UA Mozilla/5.0 (Linux; U; Android 2.0; en-us; Milestone Build/ SHO… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/settings.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /config/settings.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/settings.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 2.0; en-us; Milestone Build/ SHOLS_U2_01.03.1) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/settings.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; U; Android 2.0; en-us; Milestone Buil Requête brute (extrait) GET /config/settings.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; U; Android 2.0; en-us; Milestone Build/ SHOLS_U2_01.03.1) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Accept-Charset: utf-8 Accept-Enco Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "6e8b07bac497fa9f2707570ce9fcb06b711c04ec", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "685504ac0d6e0f8f1fa3f76b520b87d9ae0b417b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 289, "payload_entropy": 5.370173188846613, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3d15a1df9f3da072bc7217b5568d9304fd9d593e", "event_fingerprint": "a9abaa8932c56c59f2e2cb81584dc232a6fb35e1", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "afc464e3d0de0b12e5ffcb4570ea9a68", "payload_hash": "4f50de263221a0d2caebf886295b3c71", "path_pattern_hash": "67287998b6e12c15adb9346817eff41d" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/config\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Buil", "method": "GET", "path": "\/config\/settings.json", "user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Build\/ SHOLS_U2_01.03.1) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/settings.json HTTP\/1.1", "request_sample": "GET \/config\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Build\/ SHOLS_U2_01.03.1) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17\r\nAccept-Charset: utf-8\r\nAccept-Enco", "payload_snippet": "GET \/config\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Buil", "evidence": { "method": "GET", "path": "\/config\/settings.json", "user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Build\/ SHOLS_U2_01.03.1) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/settings.json HTTP\/1.1", "request_sample": "GET \/config\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Build\/ SHOLS_U2_01.03.1) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17\r\nAccept-Charset: utf-8\r\nAccept-Enco", "payload_snippet": "GET \/config\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Buil", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e65fae2cdc426f5343d1fd4853ff46f51af941fb", "protocol_details": { "http_method": "GET", "http_path": "\/config\/settings.json", "request_line": "GET \/config\/settings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Build\/ SHOLS_U2_01.03.1) AppleWebKit\/530.17 (KHTML, like Gecko) Ve\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Buil", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/settings.json", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/settings.json", "request_line": "GET \/config\/settings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Build\/ SHOLS_U2_01.03.1) AppleWebKit\/530.17 (KHTML, like Gecko) Ve\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/settings.json", "evidence_snippet": "GET \/config\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Buil", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /config/settings.php	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/settings.php UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/600… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/settings.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /config/settings.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Settings PHP Ligne de requête `GET /config/settings.php HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/600.8.9 (KHTML, like Gecko) Maxthon/4.5.2 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/settings.php HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKi Requête brute (extrait) GET /config/settings.php HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/600.8.9 (KHTML, like Gecko) Maxthon/4.5.2 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "52c41d6db66cc82d7a1fb5e925bf4d21250a8390", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "418a5f6a5e1110ffbd155bc9313c50008e60f423", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 240, "payload_entropy": 5.356124127053486, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ae37e9b4849311c381709ac6a98b819ffb9c59ba", "event_fingerprint": "70f5c1283eb500979ca075004106b3c894fdeef8", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0500" ], "matched_pattern_names": [ "Cred Settings PHP" ], "pattern_ids": [ "pat-0500" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c45b693282b46eeaf200125748363cb9", "payload_hash": "4e825e6e38ff51abc0281f07b6b9295b", "path_pattern_hash": "b9b36a42819ef11fa7d42979d581f393" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/config\/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKi", "method": "GET", "path": "\/config\/settings.php", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/600.8.9 (KHTML, like Gecko) Maxthon\/4.5.2", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/settings.php HTTP\/1.1", "request_sample": "GET \/config\/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/600.8.9 (KHTML, like Gecko) Maxthon\/4.5.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKi", "evidence": { "method": "GET", "path": "\/config\/settings.php", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/600.8.9 (KHTML, like Gecko) Maxthon\/4.5.2", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/settings.php HTTP\/1.1", "request_sample": "GET \/config\/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/600.8.9 (KHTML, like Gecko) Maxthon\/4.5.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKi", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bbaef573c9d27656d3369e4ebc15023821f29742", "protocol_details": { "http_method": "GET", "http_path": "\/config\/settings.php", "request_line": "GET \/config\/settings.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/600.8.9 (KHTML, like Gecko) Maxthon\/4.5.2", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKi", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/settings.php", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/settings.php", "request_line": "GET \/config\/settings.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/600.8.9 (KHTML, like Gecko) Maxthon\/4.5.2", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/settings.php", "evidence_snippet": "GET \/config\/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKi", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /config/database.php	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/database.php UA Mozilla/5.0 (Linux; Android 9; SM-G960U1) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/database.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /config/database.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/database.php HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-G960U1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/database.php HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G960U1) AppleWebKit/537. Requête brute (extrait) GET /config/database.php HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G960U1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "9fa73de5bb2c069088c176b907ef24d822884f24", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "e700e04925bb0dece8be41de92b622f2cd49e098", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.404654803241096, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ae37e9b4849311c381709ac6a98b819ffb9c59ba", "event_fingerprint": "07c5fee6b3ab8938a872dae022f9e36ceee610e3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f31dfb51830d4159daa10ff9260d58d9", "payload_hash": "24f993ce50f7e41bc414e9ed1f7f1dc7", "path_pattern_hash": "a199a05002f19c0fd144e669de1d6b8d" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960U1) AppleWebKit\/537.", "method": "GET", "path": "\/config\/database.php", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G960U1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/database.php HTTP\/1.1", "request_sample": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960U1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960U1) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/config\/database.php", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G960U1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/database.php HTTP\/1.1", "request_sample": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960U1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960U1) AppleWebKit\/537.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ab452f7218fa4ca9b83acc5d225a7e2c2aba42e6", "protocol_details": { "http_method": "GET", "http_path": "\/config\/database.php", "request_line": "GET \/config\/database.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G960U1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960U1) AppleWebKit\/537.", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/database.php", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/database.php", "request_line": "GET \/config\/database.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G960U1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/database.php", "evidence_snippet": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960U1) AppleWebKit\/537.", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:7373 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7373 Chemin / cible — Service TLS Payload ��h�"�߱�S��C}Cb�(�2�FX�!� �M�[�!��d� RC F��y�V^z�k�ɾ�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��h�"�߱�S��C}Cb�(�2�FX�!� �M�[�!��d�RCF��y�V^z�k�ɾ�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��h�"�߱�S��C}Cb�(�2�FX�!� �M�[�!��d� RC F��y�V^z�k�ɾ�&�+�/�,�0̨̩� �� /5� w �+3&$ ��'h3�2�)��L�fl��Pɑfd��EFAW Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.886953115453194, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8aa0986985b15fad944749be675067b127bd5dfd", "event_fingerprint": "80ae7b245ee692f04eaae628590d47ffc7bce516", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "6585d361424c317c2427263cb495a166", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7373, "service": "tls", "service_name": "tls", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0014\ufffd\ufffdh\ufffd\"\ufffd\u0002\u07f1\ufffdS\ufffd\ufffdC\u001e}Cb\ufffd(\ufffd2\ufffd\u0007F\u0003X\ufffd!\ufffd \u000f\ufffdM\ufffd[\ufffd!\ufffd\ufffdd\ufffd\f\u001fRC\fF\ufffd\ufffd\ufffdy\ufffdV^z\ufffdk\ufffd\u027e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0014\ufffd\ufffdh\ufffd\"\ufffd\u0002\u07f1\ufffdS\ufffd\ufffdC\u001e}Cb\ufffd(\ufffd2\ufffd\u0007F\u0003X\ufffd!\ufffd \u000f\ufffdM\ufffd[\ufffd!\ufffd\ufffdd\ufffd\f\u001fRC\fF\ufffd\ufffd\ufffdy\ufffdV^z\ufffdk\ufffd\u027e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd'h3\ufffd2\ufffd)\ufffd\ufffdL\ufffdfl\ufffd\ufffd\u0001P\u0251fd\ufffd\b\ufffdEFAW", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0014\ufffd\ufffdh\ufffd\"\ufffd\u0002\u07f1\ufffdS\ufffd\ufffdC\u001e}Cb\ufffd(\ufffd2\ufffd\u0007F\u0003X\ufffd!\ufffd \u000f\ufffdM\ufffd[\ufffd!\ufffd\ufffdd\ufffd\f\u001fRC\fF\ufffd\ufffd\ufffdy\ufffdV^z\ufffdk\ufffd\u027e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2811ac6e4f152b4c2eae125fdd033e46aff74f4c", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0014\ufffd\ufffdh\ufffd\"\ufffd\u0002\u07f1\ufffdS\ufffd\ufffdC\u001e}Cb\ufffd(\ufffd2\ufffd\u0007F\u0003X\ufffd!\ufffd \u000f\ufffdM\ufffd[\ufffd!\ufffd\ufffdd\ufffd\f\u001fRC\fF\ufffd\ufffd\ufffdy\ufffdV^z\ufffdk\ufffd\u027e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdh\ufffd\"\ufffd\u07f1\ufffdS\ufffd\ufffdC}Cb\ufffd(\ufffd2\ufffdFX\ufffd!\ufffd \ufffdM\ufffd[\ufffd!\ufffd\ufffdd\ufffdRCF\ufffd\ufffd\ufffdy\ufffdV^z\ufffdk\ufffd\u027e\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0014\ufffd\ufffdh\ufffd\"\ufffd\u0002\u07f1\ufffdS\ufffd\ufffdC\u001e}Cb\ufffd(\ufffd2\ufffd\u0007F\u0003X\ufffd!\ufffd \u000f\ufffdM\ufffd[\ufffd!\ufffd\ufffdd\ufffd\f\u001fRC\fF\ufffd\ufffd\ufffdy\ufffdV^z\ufffdk\ufffd\u027e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdh\ufffd\"\ufffd\u07f1\ufffdS\ufffd\ufffdC}Cb\ufffd(\ufffd2\ufffdFX\ufffd!\ufffd \ufffdM\ufffd[\ufffd!\ufffd\ufffdd\ufffdRCF\ufffd\ufffd\ufffdy\ufffdV^z\ufffdk\ufffd\u027e\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7373 · (tentative d'exploit) · → /config/config.json	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /config/config.json UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /config/config.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/config.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3724.8 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/config.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /config/config.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3724.8 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "647a0137c8aecb8d5f393bffa535889610eaea58", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "de9396c02d7e95e2bf1af9f60ce296f0b321d0a5", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.390304643266999, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.3, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c90053079e64ef5c87804f6963c78a3ceeff0f13", "event_fingerprint": "32865d65f4f882f42ec781e3ca921f95c7aa0d7b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "dc0edc27de99421dbd5117455c2b4d5c", "payload_hash": "1a9673979b7d07279f1af8f54d0d0ae9", "path_pattern_hash": "3d1d3f9c6b53a14673a3554e1b4c6dd0" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/config\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "method": "GET", "path": "\/config\/config.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3724.8 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/config.json HTTP\/1.1", "request_sample": "GET \/config\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3724.8 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/config\/config.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3724.8 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/config.json HTTP\/1.1", "request_sample": "GET \/config\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3724.8 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "72598abd5f8da069845aacbb8a44b518291f3407", "protocol_details": { "http_method": "GET", "http_path": "\/config\/config.json", "request_line": "GET \/config\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3724.8 Safari\/537.36", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/config.json", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/config.json", "request_line": "GET \/config\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3724.8 Safari\/537.36", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/config.json", "evidence_snippet": "GET \/config\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:7373 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7373 Chemin / cible — Service TLS Payload ��s��W��$)�l��\Gͧ�K +��<��0LL\;�-`��<�\Fg� }{&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��s��W��$)�l��\Gͧ�K +��<��0LL\;�-`��<�\Fg� }{&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��s��W��$)�l��\Gͧ�K +��<��0LL\;�-`��<�\Fg� }{&�+�/�,�0̨̩� �� /5� w �+3&$ K�cw6��b�H�< M�t��"dΫL׏�� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.771903297500016, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8aa0986985b15fad944749be675067b127bd5dfd", "event_fingerprint": "80ae7b245ee692f04eaae628590d47ffc7bce516", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "baae93d471c8bde9efc1d53dbcfb19cb", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7373, "service": "tls", "service_name": "tls", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0007\ufffds\ufffd\ufffd\ufffd\ufffdW\u0002\ufffd\ufffd\ufffd\ufffd$)\u0014\u0018\ufffdl\ufffd\u0002\ufffd\\\u0014G\u0367\u0013\ufffd\u0004K +\ufffd\u0016\ufffd\ufffd\ufffd\u0014\ufffd<\ufffd\ufffd0LL\\;\ufffd-`\ufffd\ufffd<\ufffd\\Fg\ufffd\n\n}{\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0007\ufffds\ufffd\ufffd\ufffd\ufffdW\u0002\ufffd\ufffd\ufffd\ufffd$)\u0014\u0018\ufffdl\ufffd\u0002\ufffd\\\u0014G\u0367\u0013\ufffd\u0004K +\ufffd\u0016\ufffd\ufffd\ufffd\u0014\ufffd<\ufffd\ufffd0LL\\;\ufffd-`\ufffd\ufffd<\ufffd\\Fg\ufffd\n\n}{\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 K\ufffdcw6\u0014\ufffd\ufffdb\u0012\ufffdH\ufffd<\tM\ufffd\u0013t\ufffd\ufffd\"d\u03abL\u05cf\ufffd\ufffd\ufffd\f", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0007\ufffds\ufffd\ufffd\ufffd\ufffdW\u0002\ufffd\ufffd\ufffd\ufffd$)\u0014\u0018\ufffdl\ufffd\u0002\ufffd\\\u0014G\u0367\u0013\ufffd\u0004K +\ufffd\u0016\ufffd\ufffd\ufffd\u0014\ufffd<\ufffd\ufffd0LL\\;\ufffd-`\ufffd\ufffd<\ufffd\\Fg\ufffd\n\n}{\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8254c6998deef805d932c3a9c9adc4074302f255", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0007\ufffds\ufffd\ufffd\ufffd\ufffdW\u0002\ufffd\ufffd\ufffd\ufffd$)\u0014\u0018\ufffdl\ufffd\u0002\ufffd\\\u0014G\u0367\u0013\ufffd\u0004K +\ufffd\u0016\ufffd\ufffd\ufffd\u0014\ufffd<\ufffd\ufffd0LL\\;\ufffd-`\ufffd\ufffd<\ufffd\\Fg\ufffd\n\n}{\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffd\ufffd\ufffd$)\ufffdl\ufffd\ufffd\\G\u0367\ufffdK +\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\ufffd0LL\\;\ufffd-`\ufffd\ufffd<\ufffd\\Fg\ufffd\n\n}{&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0007\ufffds\ufffd\ufffd\ufffd\ufffdW\u0002\ufffd\ufffd\ufffd\ufffd$)\u0014\u0018\ufffdl\ufffd\u0002\ufffd\\\u0014G\u0367\u0013\ufffd\u0004K +\ufffd\u0016\ufffd\ufffd\ufffd\u0014\ufffd<\ufffd\ufffd0LL\\;\ufffd-`\ufffd\ufffd<\ufffd\\Fg\ufffd\n\n}{\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffd\ufffd\ufffd$)\ufffdl\ufffd\ufffd\\G\u0367\ufffdK +\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\ufffd0LL\\;\ufffd-`\ufffd\ufffd<\ufffd\\Fg\ufffd\n\n}{&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:7373 · (tentative d'exploit) · → /server/secrets.json	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /server/secrets.json UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_k8s_probe Cible HTTP GET /server/secrets.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /server/secrets.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux pat-0496 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Secrets JSON file Ligne de requête `GET /server/secrets.json HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.35 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server/secrets.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi Requête brute (extrait) GET /server/secrets.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.35 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "2eefe2eb2d7704abbfaba3194b6ec1abfe4ea1d9", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "5647b3d5d4414e068d63f3478ce1ad7b134bdc0a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.371696098310742, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "4f00f525fdd7ff927ed76b52298b4164a2ee3153", "event_fingerprint": "85953ffa7c3d969619144abd422aec7c63dd2172", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0496" ], "matched_pattern_names": [ "Cred Secrets JSON file" ], "pattern_ids": [ "pat-0496" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "54a73395cee722ac1bae0a917ed69669", "payload_hash": "844ac95b520e8fca35f7e52a946178b6", "path_pattern_hash": "f81daa0bd66d196382d4552c744f4562" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/server\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "method": "GET", "path": "\/server\/secrets.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/secrets.json HTTP\/1.1", "request_sample": "GET \/server\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/server\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "evidence": { "method": "GET", "path": "\/server\/secrets.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/secrets.json HTTP\/1.1", "request_sample": "GET \/server\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/server\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cfc3ec4a94bbb468072c1e2189835404009e9844", "protocol_details": { "http_method": "GET", "http_path": "\/server\/secrets.json", "request_line": "GET \/server\/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "attack_vector": "credential file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/secrets.json", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0496", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server\/secrets.json", "request_line": "GET \/server\/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/secrets.json", "evidence_snippet": "GET \/server\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_k8s_probe", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:7373 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7373 Chemin / cible — Service TLS Payload ��4��rߤl�7��_� N쒽 v"�@ ?��&� ]�]�-�_ׁ�� J��R��6&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��4��rߤl�7��_�N쒽v"�@ ?��&� ]�]�-�_ׁ�� J��R��6&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��4��rߤl�7��_� N쒽 v"�@ ?��&� ]�]�-�_ׁ�� J��R��6&�+�/�,�0̨̩� �� /5� w �+3&$ ��"�<N��;~��l��?�Q��bƨ�E Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.798486327689718, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8aa0986985b15fad944749be675067b127bd5dfd", "event_fingerprint": "80ae7b245ee692f04eaae628590d47ffc7bce516", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "5e8496475ca089a38397f288eeab9394", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7373, "service": "tls", "service_name": "tls", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd4\ufffd\ufffdr\u07e4l\ufffd7\u0014\u0019\ufffd\ufffd\ufffd\ufffd_\ufffd\u000b\u0016N\uc4bd\u000bv\"\ufffd@\u0003\u000f ?\ufffd\u001e\ufffd&\ufffd ]\u001c\ufffd]\ufffd-\ufffd_\u05c1\ufffd\ufffd\tJ\ufffd\ufffd\ufffdR\b\u0015\ufffd\ufffd6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd4\ufffd\ufffdr\u07e4l\ufffd7\u0014\u0019\ufffd\ufffd\ufffd\ufffd_\ufffd\u000b\u0016N\uc4bd\u000bv\"\ufffd@\u0003\u000f ?\ufffd\u001e\ufffd&\ufffd ]\u001c\ufffd]\ufffd-\ufffd_\u05c1\ufffd\ufffd\tJ\ufffd\ufffd\ufffdR\b\u0015\ufffd\ufffd6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u000f\ufffd\ufffd\"\u0017\ufffd<N\u001d\ufffd\ufffd\u0010\ufffd;~\ufffd\ufffdl\ufffd\ufffd?\ufffd\u0016\u0019Q\ufffd\ufffdb\u01a8\ufffdE", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd4\ufffd\ufffdr\u07e4l\ufffd7\u0014\u0019\ufffd\ufffd\ufffd\ufffd_\ufffd\u000b\u0016N\uc4bd\u000bv\"\ufffd@\u0003\u000f ?\ufffd\u001e\ufffd&\ufffd ]\u001c\ufffd]\ufffd-\ufffd_\u05c1\ufffd\ufffd\tJ\ufffd\ufffd\ufffdR\b\u0015\ufffd\ufffd6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bed7c5db4fcf15aadaf3e8870a593d24cb666b37", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd4\ufffd\ufffdr\u07e4l\ufffd7\u0014\u0019\ufffd\ufffd\ufffd\ufffd_\ufffd\u000b\u0016N\uc4bd\u000bv\"\ufffd@\u0003\u000f ?\ufffd\u001e\ufffd&\ufffd ]\u001c\ufffd]\ufffd-\ufffd_\u05c1\ufffd\ufffd\tJ\ufffd\ufffd\ufffdR\b\u0015\ufffd\ufffd6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd4\ufffd\ufffdr\u07e4l\ufffd7\ufffd\ufffd\ufffd\ufffd_\ufffdN\uc4bdv\"\ufffd@ ?\ufffd\ufffd&\ufffd ]\ufffd]\ufffd-\ufffd_\u05c1\ufffd\ufffd\tJ\ufffd\ufffd\ufffdR\ufffd\ufffd6&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd4\ufffd\ufffdr\u07e4l\ufffd7\u0014\u0019\ufffd\ufffd\ufffd\ufffd_\ufffd\u000b\u0016N\uc4bd\u000bv\"\ufffd@\u0003\u000f ?\ufffd\u001e\ufffd&\ufffd ]\u001c\ufffd]\ufffd-\ufffd_\u05c1\ufffd\ufffd\tJ\ufffd\ufffd\ufffdR\b\u0015\ufffd\ufffd6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd4\ufffd\ufffdr\u07e4l\ufffd7\ufffd\ufffd\ufffd\ufffd_\ufffdN\uc4bdv\"\ufffd@ ?\ufffd\ufffd&\ufffd ]\ufffd]\ufffd-\ufffd_\u05c1\ufffd\ufffd\tJ\ufffd\ufffd\ufffdR\ufffd*\ufffd6&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:7373 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7373 Chemin / cible — Service TLS Payload ��Ĳx�P��e�W�D\m>��oҕ\|�:�� ԁ��;2r)d(n]ޠ�%(��o^�� [&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Ĳx�P��e�W�D\m>��oҕ\|�:�� ԁ��;2r)d(n]ޠ�%(��o^��[&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Ĳx�P��e�W�D\m>��oҕ\|�:�� ԁ��;2r)d(n]ޠ�%(��o^�� [&�+�/�,�0̨̩� �� /5� w �+3&$ �V��_Mx�m��L \| �ۖ�ˤ�wԨg Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.907544618761984, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8aa0986985b15fad944749be675067b127bd5dfd", "event_fingerprint": "80ae7b245ee692f04eaae628590d47ffc7bce516", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "06fc361e637b7fa33d75460fe3d0b1b5", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7373, "service": "tls", "service_name": "tls", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0132x\ufffdP\ufffd\ufffde\ufffd\u0015W\ufffdD\\m\u001b>\ufffd\ufffd\ufffd\ufffd\u001bo\u0495\|\ufffd:\ufffd\ufffd \r\ufffd\u0501\ufffd\ufffd;2r)d(n]\u07a0\ufffd%(\ufffd\ufffdo^\u001f\ufffd\ufffd\ufffd\ufffd\u0002\u000b[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0132x\ufffdP\ufffd\ufffde\ufffd\u0015W\ufffdD\\m\u001b>\ufffd\ufffd\ufffd\ufffd\u001bo\u0495\|\ufffd:\ufffd\ufffd \r\ufffd\u0501\ufffd\ufffd;2r)d(n]\u07a0\ufffd%(\ufffd\ufffdo^\u001f\ufffd\ufffd\ufffd\ufffd\u0002\u000b[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdV\ufffd\ufffd\ufffd\ufffd_\u0003Mx\u001e\ufffdm\ufffd\ufffdL\n\|\u0015\n\ufffd\u06d6\ufffd\u02e4\ufffdw\u0528g", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0132x\ufffdP\ufffd\ufffde\ufffd\u0015W\ufffdD\\m\u001b>\ufffd\ufffd\ufffd\ufffd\u001bo\u0495\|\ufffd:\ufffd\ufffd \r\ufffd\u0501\ufffd\ufffd;2r)d(n]\u07a0\ufffd%(\ufffd\ufffdo^\u001f\ufffd\ufffd\ufffd\ufffd\u0002\u000b[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5c9bd6da3790a89704d8d1d9c22fdd370f82d7c7", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0132x\ufffdP\ufffd\ufffde\ufffd\u0015W\ufffdD\\m\u001b>\ufffd\ufffd\ufffd\ufffd\u001bo\u0495\|\ufffd:\ufffd\ufffd \r\ufffd\u0501\ufffd\ufffd;2r)d(n]\u07a0\ufffd%(\ufffd\ufffdo^\u001f\ufffd\ufffd\ufffd\ufffd\u0002\u000b[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\u0132x\ufffdP\ufffd\ufffde\ufffdW\ufffdD\\m>\ufffd\ufffd\ufffd\ufffdo\u0495\|\ufffd:\ufffd\ufffd \r\ufffd\u0501\ufffd\ufffd;2r)d(n]\u07a0\ufffd%(\ufffd\ufffdo^\ufffd\ufffd\ufffd\ufffd[&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0132x\ufffdP\ufffd\ufffde\ufffd\u0015W\ufffdD\\m\u001b>\ufffd\ufffd\ufffd\ufffd\u001bo\u0495\|\ufffd:\ufffd\ufffd \r\ufffd\u0501\ufffd\ufffd;2r)d(n]\u07a0\ufffd%(\ufffd\ufffdo^\u001f\ufffd\ufffd\ufffd\ufffd\u0002\u000b[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\u0132x\ufffdP\ufffd\ufffde\ufffdW\ufffdD\\m>\ufffd\ufffd\ufffd\ufffdo\u0495\|\ufffd:\ufffd\ufffd \r\ufffd\u0501\ufffd\ufffd;2r)d(n]\u07a0\ufffd%(\ufffd\ufffdo^\ufffd\ufffd\ufffd\ufffd[&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /config/config.php	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/config.php UA EmailWolf 1.00 Émulateur HTTP WAF 6 Recommandation Investiguer Tags 950468:nosqli-3 http_probe_config http_sensitive_path net_flood Cible HTTP GET /config/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /config/config.php Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Generic config.php Ligne de requête `GET /config/config.php HTTP/1.1` User-Agent EmailWolf 1.00 Règles WAF nosqli-3 Payload (extrait) GET /config/config.php HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: EmailWolf 1.00 Accept-Charset: utf-8 Accept-Encoding: gzip Requête brute (extrait) GET /config/config.php HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: EmailWolf 1.00 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "dcfc498d4e1428fb9bd198420c4c2d710f4fc4ee", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "b8ef185fa629a44e5f886526b7a4543e57899abc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 151, "payload_entropy": 5.054446316927533, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 32, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a6ef9e2a1abcf16b93ba07b79de9a47fb77ce6d7", "event_fingerprint": "69510b4f554bd94cc50aacba621afafaf4f9dbfd", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0118" ], "matched_pattern_names": [ "LFI Generic config.php" ], "pattern_ids": [ "pat-0118" ], "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "61fd284487c1f3fbc759ccc3e3812d07", "payload_hash": "7193ea25f9b0620f203843ace074e9e1", "path_pattern_hash": "72260f34617018282328c71c36115b23" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: EmailWolf 1.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip", "method": "GET", "path": "\/config\/config.php", "user_agent": "EmailWolf 1.00", "waf_tags": [ "950468:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/config\/config.php HTTP\/1.1", "request_sample": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: EmailWolf 1.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: EmailWolf 1.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip", "evidence": { "method": "GET", "path": "\/config\/config.php", "user_agent": "EmailWolf 1.00", "waf_tags": [ "950468:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/config\/config.php HTTP\/1.1", "request_sample": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: EmailWolf 1.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: EmailWolf 1.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fbb221a2744738b89178931379360cf2c4e864a1", "protocol_details": { "http_method": "GET", "http_path": "\/config\/config.php", "request_line": "GET \/config\/config.php HTTP\/1.1", "http_user_agent": "EmailWolf 1.00", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: EmailWolf 1.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/config.php", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/config.php", "request_line": "GET \/config\/config.php HTTP\/1.1", "http_user_agent": "EmailWolf 1.00", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/config.php", "evidence_snippet": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: EmailWolf 1.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "http_probe_config", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /config/database.json	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/database.json UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/database.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /config/database.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/database.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.42 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/database.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /config/database.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.42 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "45f91def00f8b8a4e84a5e46a0602e992f7966c1", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "942ff77c5ee7a45ad41df6b61bbcc8c510b2de01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.409655870943941, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3d15a1df9f3da072bc7217b5568d9304fd9d593e", "event_fingerprint": "d379eff5f4b060921056d1640c41fe938b67f17a", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "236db24e4793d97e5cd528d7002c4996", "payload_hash": "d3598f9de534d42bbe6fd30850ad903a", "path_pattern_hash": "571ed335a10c7335c4655f72fb6293ea" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/config\/database.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "method": "GET", "path": "\/config\/database.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/database.json HTTP\/1.1", "request_sample": "GET \/config\/database.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/database.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/config\/database.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/database.json HTTP\/1.1", "request_sample": "GET \/config\/database.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/database.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "155deefd68c4b468e1b204fdbf6a1ee808448ae1", "protocol_details": { "http_method": "GET", "http_path": "\/config\/database.json", "request_line": "GET \/config\/database.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/database.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/database.json", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/database.json", "request_line": "GET \/config\/database.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/database.json", "evidence_snippet": "GET \/config\/database.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /config/application.yml	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/application.yml UA Mozilla/5.0 (Linux; Android 9; LM-G710VM) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/application.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /config/application.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/application.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; LM-G710VM) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/application.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; Android 9; LM-G710VM) AppleWebKit/5 Requête brute (extrait) GET /config/application.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; Android 9; LM-G710VM) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: c Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "6db5a3149771ca2ccbc88247150379bb7fb8f492", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "21bd12a36544d7656ab5efe66271236b69b5a1f6", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 264, "payload_entropy": 5.4013899012107975, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3d15a1df9f3da072bc7217b5568d9304fd9d593e", "event_fingerprint": "45d82e301703bded761cf6538301f5dfe7780e26", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "54f4fdf0c1513a3bfb676ab12b95a518", "payload_hash": "609b69cdc1b57f563de9d2d069217801", "path_pattern_hash": "483067fc8f328a203e484adab257e7db" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/config\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710VM) AppleWebKit\/5", "method": "GET", "path": "\/config\/application.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; LM-G710VM) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/application.yml HTTP\/1.1", "request_sample": "GET \/config\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710VM) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/config\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710VM) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/config\/application.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; LM-G710VM) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/application.yml HTTP\/1.1", "request_sample": "GET \/config\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710VM) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/config\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710VM) AppleWebKit\/5", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "efcfbc42416f188eb11267fec2af4e1fdc4529bd", "protocol_details": { "http_method": "GET", "http_path": "\/config\/application.yml", "request_line": "GET \/config\/application.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; LM-G710VM) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710VM) AppleWebKit\/5", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/application.yml", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/application.yml", "request_line": "GET \/config\/application.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; LM-G710VM) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/application.yml", "evidence_snippet": "GET \/config\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710VM) AppleWebKit\/5", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:7373 · (tentative d'exploit) · → /config/secrets.json	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /config/secrets.json UA SonyEricssonW580i/R6BC Browser/NetFront/3.3 Profile/MIDP-2.0 Co… Émulateur HTTP WAF 12 Recommandation Investiguer Tags 950468:nosqli-3 950470:nosqli-3 http_k8s_probe http_probe_config Cible HTTP GET /config/secrets.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /config/secrets.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « nosqli-3 » · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux pat-0496 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Secrets JSON file Ligne de requête `GET /config/secrets.json HTTP/1.1` User-Agent SonyEricssonW580i/R6BC Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 Règles WAF nosqli-3 Payload (extrait) GET /config/secrets.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: SonyEricssonW580i/R6BC Browser/NetFront/3.3 Profile/MIDP-2 Requête brute (extrait) GET /config/secrets.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: SonyEricssonW580i/R6BC Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "0a2a6e381b4e8347dd10f0b771da99a36948c454", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "d245df2b930ac6e64a12821e6902cce878e9a7ce", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 222, "payload_entropy": 5.2231491105190475, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 56, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 56, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 56, "tag_count": 5, "anomaly_count": 0, "campaign_key": "0337ef89e01e787db0a1d1947ebcad6bb62cb2ec", "event_fingerprint": "f53c4e913af732b4fcabd842b8ce355534e59a2e", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0496" ], "matched_pattern_names": [ "Cred Secrets JSON file" ], "pattern_ids": [ "pat-0496" ], "confidence_breakdown": { "waf": 56, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58ceef08d6bf010bb55668116df85616", "payload_hash": "db0a2cdedcf2e82688604f873f98a945", "path_pattern_hash": "b82ce86956be379e0d4ab3fedf084ba0" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/config\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2", "method": "GET", "path": "\/config\/secrets.json", "user_agent": "SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/config\/secrets.json HTTP\/1.1", "request_sample": "GET \/config\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2", "evidence": { "method": "GET", "path": "\/config\/secrets.json", "user_agent": "SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/config\/secrets.json HTTP\/1.1", "request_sample": "GET \/config\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "72a39d101e13ae543bf7d07631a6d3982e713d96", "protocol_details": { "http_method": "GET", "http_path": "\/config\/secrets.json", "request_line": "GET \/config\/secrets.json HTTP\/1.1", "http_user_agent": "SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2", "attack_vector": "credential file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/secrets.json", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 56, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0496", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/secrets.json", "request_line": "GET \/config\/secrets.json HTTP\/1.1", "http_user_agent": "SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/secrets.json", "evidence_snippet": "GET \/config\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 56 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950470:nosqli-3", "http_k8s_probe", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7373 · (tentative d'exploit) · → /server/config.json	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /server/config.json UA Mozilla/5.0 (Linux; Android 9; POCO F1) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /server/config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /server/config.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /server/config.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; POCO F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server/config.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; Android 9; POCO F1) AppleWebKit/537.36 Requête brute (extrait) GET /server/config.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; Android 9; POCO F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "8ac8c5939d9e2ede857965537f9fb8e850aa4856", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "6256573df3840cfac04bc2ab872867391edaaec3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.42719143250903, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fb145b4a7162fd2843d6351dcff7780b7368321", "event_fingerprint": "a6082b6dfe619845f1d82e37836e427c168817f5", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0550ff632e5e528af3eb24a9aca8de12", "payload_hash": "516e224d26a29f6ae01fe4bb446b0ea4", "path_pattern_hash": "d098cd03de959936fc86eaeec4921ada" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/server\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 ", "method": "GET", "path": "\/server\/config.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/config.json HTTP\/1.1", "request_sample": "GET \/server\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/server\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/server\/config.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/config.json HTTP\/1.1", "request_sample": "GET \/server\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/server\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a526703e658e9cae6cca9dd740cc6aff195fa522", "protocol_details": { "http_method": "GET", "http_path": "\/server\/config.json", "request_line": "GET \/server\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/config.json", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server\/config.json", "request_line": "GET \/server\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/config.json", "evidence_snippet": "GET \/server\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /config/parameters.yml	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/parameters.yml UA Mozilla/5.0 (compatible; Konqueror/4.5; FreeBSD) KHTML/4.5.4 (l… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/parameters.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /config/parameters.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/parameters.yml HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Konqueror/4.5; FreeBSD) KHTML/4.5.4 (like Gecko) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/parameters.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.5; FreeBSD) KHTML/4 Requête brute (extrait) GET /config/parameters.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.5; FreeBSD) KHTML/4.5.4 (like Gecko) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "410472493bc955f4fd2d9649d46a86d829abb5a5", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "e985a74d9ec6187d476021931d698376d834a9cf", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 214, "payload_entropy": 5.350653300481505, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ae37e9b4849311c381709ac6a98b819ffb9c59ba", "event_fingerprint": "d7aae41577311278d12c6a20a215f1a0cbdcc737", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2ac5e8a9decd6c810534f1d5f434fb93", "payload_hash": "1b3c2bd4c8db5a82a7396cc206711385", "path_pattern_hash": "ffe159f5ae172e27508531699989483b" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.5; FreeBSD) KHTML\/4", "method": "GET", "path": "\/config\/parameters.yml", "user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.5; FreeBSD) KHTML\/4.5.4 (like Gecko)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/parameters.yml HTTP\/1.1", "request_sample": "GET \/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.5; FreeBSD) KHTML\/4.5.4 (like Gecko)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.5; FreeBSD) KHTML\/4", "evidence": { "method": "GET", "path": "\/config\/parameters.yml", "user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.5; FreeBSD) KHTML\/4.5.4 (like Gecko)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/parameters.yml HTTP\/1.1", "request_sample": "GET \/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.5; FreeBSD) KHTML\/4.5.4 (like Gecko)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.5; FreeBSD) KHTML\/4", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ebd25ebf507e42bce0fd9673a30abbad336afd73", "protocol_details": { "http_method": "GET", "http_path": "\/config\/parameters.yml", "request_line": "GET \/config\/parameters.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.5; FreeBSD) KHTML\/4.5.4 (like Gecko)", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.5; FreeBSD) KHTML\/4", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/parameters.yml", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/parameters.yml", "request_line": "GET \/config\/parameters.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.5; FreeBSD) KHTML\/4.5.4 (like Gecko)", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/parameters.yml", "evidence_snippet": "GET \/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.5; FreeBSD) KHTML\/4", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:7373 · (tentative d'exploit) · → /config/credentials.json	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /config/credentials.json UA Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like G… Émulateur HTTP WAF 12 Recommandation Investiguer Tags 950468:nosqli-3 950470:nosqli-3 http_probe_config net_flood Cible HTTP GET /config/credentials.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /config/credentials.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « nosqli-3 » · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux pat-0472 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Credentials JSON Ligne de requête `GET /config/credentials.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Règles WAF nosqli-3 Payload (extrait) GET /config/credentials.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /config/credentials.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "269f299a1b6466450eef37e3bd2216e896f00643", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "5234289420e6776a17bc2d2e029b5e8f0af33b10", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.339294575668736, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 56, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 56, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "42649f877cf25dfdec5aa50a62a6373c89213179", "event_fingerprint": "114509390768d6554e433c42f19febf797026621", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0472" ], "matched_pattern_names": [ "Cred Credentials JSON" ], "pattern_ids": [ "pat-0472" ], "confidence_breakdown": { "waf": 56, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "395eaed4d65d0874bc39be1ce2ef5ca7", "payload_hash": "9c20dcc37b2d801cd8cfdd2cf17eabed", "path_pattern_hash": "a434f033cdfe1c6228665bc262140ac0" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/config\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/config\/credentials.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/config\/credentials.json HTTP\/1.1", "request_sample": "GET \/config\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/config\/credentials.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/config\/credentials.json HTTP\/1.1", "request_sample": "GET \/config\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c37cf37c139950a0e1f3e18e62c5989de93ea784", "protocol_details": { "http_method": "GET", "http_path": "\/config\/credentials.json", "request_line": "GET \/config\/credentials.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTM", "attack_vector": "credential file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/credentials.json", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 56, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0472", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/credentials.json", "request_line": "GET \/config\/credentials.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/credentials.json", "evidence_snippet": "GET \/config\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTM", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 56 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /config/cache.php	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/cache.php UA Mozilla/5.0 (Linux; Android 9; ONEPLUS A6003) AppleWebKit/537.3… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/cache.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /config/cache.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/cache.php HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ONEPLUS A6003) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/cache.php HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A6003) AppleWebKit/537 Requête brute (extrait) GET /config/cache.php HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A6003) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "61c15a1bafb7c8c0090682da02ea640e51d23427", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "9692de7bdad9583db6331e50d4b9dacf18ddb2e0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 262, "payload_entropy": 5.419724114420982, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ae37e9b4849311c381709ac6a98b819ffb9c59ba", "event_fingerprint": "b7f500f2759597cb9cdee8c0b4ba98fbc5d5a4a9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bff8e6711f419e07062311d68e7a75c0", "payload_hash": "57d35b6623c3b7f62581d6cd8368b1eb", "path_pattern_hash": "875d6aa330eaf796664c4387fbf0c3b1" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/config\/cache.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6003) AppleWebKit\/537", "method": "GET", "path": "\/config\/cache.php", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6003) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/cache.php HTTP\/1.1", "request_sample": "GET \/config\/cache.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6003) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/config\/cache.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6003) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/config\/cache.php", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6003) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/cache.php HTTP\/1.1", "request_sample": "GET \/config\/cache.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6003) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/config\/cache.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6003) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "26e37198d025948672395c897ce69eeccf14fd2d", "protocol_details": { "http_method": "GET", "http_path": "\/config\/cache.php", "request_line": "GET \/config\/cache.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6003) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/cache.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6003) AppleWebKit\/537", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/cache.php", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/cache.php", "request_line": "GET \/config\/cache.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6003) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/cache.php", "evidence_snippet": "GET \/config\/cache.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6003) AppleWebKit\/537", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /server/config.yml	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /server/config.yml UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /server/config.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /server/config.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /server/config.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/80.0.180 Chrome/74.0.3729.180 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server/config.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /server/config.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/80.0.180 Chrome/74.0.3729.180 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Conne Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "9a648c59dc1ccd46f17d79f10dfab373023bd250", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "d6bee6c26ea42d2ce57a9376d4e5ea869699999a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 272, "payload_entropy": 5.440287459554048, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 64, "tag_count": 4, "anomaly_count": 0, "campaign_key": "05f3bd052b9cff3160d287bf5c585185b75cabc0", "event_fingerprint": "bca911d40c7531e7c77902b932ad22d3d4cb6a39", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "abe549b65656f0d240af7f3f892c6538", "payload_hash": "b7fb414ac6702317076dc779a97aae74", "path_pattern_hash": "5e5de5e36ef9a737914d2d62be2bfa01" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/server\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/server\/config.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) coc_coc_browser\/80.0.180 Chrome\/74.0.3729.180 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/config.yml HTTP\/1.1", "request_sample": "GET \/server\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) coc_coc_browser\/80.0.180 Chrome\/74.0.3729.180 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne", "payload_snippet": "GET \/server\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/server\/config.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) coc_coc_browser\/80.0.180 Chrome\/74.0.3729.180 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server\/config.yml HTTP\/1.1", "request_sample": "GET \/server\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) coc_coc_browser\/80.0.180 Chrome\/74.0.3729.180 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne", "payload_snippet": "GET \/server\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHT", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "99bb126f45e887165849efdd567fccfa36bbc2bd", "protocol_details": { "http_method": "GET", "http_path": "\/server\/config.yml", "request_line": "GET \/server\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) coc_coc_browser\/80.0.180 Chrome\/74.0.3729.1\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHT", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/config.yml", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server\/config.yml", "request_line": "GET \/server\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) coc_coc_browser\/80.0.180 Chrome\/74.0.3729.1\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/config.yml", "evidence_snippet": "GET \/server\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHT", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /config/parameters.yaml	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/parameters.yaml UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/parameters.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /config/parameters.yaml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/parameters.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/parameters.yaml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWe Requête brute (extrait) GET /config/parameters.yaml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yaml", "http_ua_hash": "465b4c97b6e69d085e4aefa5cb6c7dd7b79f707b", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "48ec704c337209e5e30476493203a595020a29cc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.381016646166086, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ae37e9b4849311c381709ac6a98b819ffb9c59ba", "event_fingerprint": "8c0f7d20f26eb16742d048a1b65f96a17c73b574", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cf8070654ecd18275e4a68fc8fabda92", "payload_hash": "57e6b6d68e19e522bcd5bf8ce5f3c330", "path_pattern_hash": "81aa704862a049efd37a741ef24b3dd7" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWe", "method": "GET", "path": "\/config\/parameters.yaml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.2 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/parameters.yaml HTTP\/1.1", "request_sample": "GET \/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWe", "evidence": { "method": "GET", "path": "\/config\/parameters.yaml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.2 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/parameters.yaml HTTP\/1.1", "request_sample": "GET \/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWe", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e1ca8e95e9b0c24db2b1d024ee88138b67155524", "protocol_details": { "http_method": "GET", "http_path": "\/config\/parameters.yaml", "request_line": "GET \/config\/parameters.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.2 Safari\/605.1.15", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWe", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/parameters.yaml", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/parameters.yaml", "request_line": "GET \/config\/parameters.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.2 Safari\/605.1.15", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/parameters.yaml", "evidence_snippet": "GET \/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWe", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /config/application.properties	Élevée	Moyen · 57
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/application.properties UA Mozilla/5.0 (X11; U; FreeBSD; i386; en-US; rv:1.7) Gecko Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 http_probe_config net_flood Cible HTTP GET /config/application.properties TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /config/application.properties Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/application.properties HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; FreeBSD; i386; en-US; rv:1.7) Gecko Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/application.properties HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (X11; U; FreeBSD; i386; en-US; rv:1. Requête brute (extrait) GET /config/application.properties HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (X11; U; FreeBSD; i386; en-US; rv:1.7) Gecko Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "properties", "http_ua_hash": "8298049d71e95110bd38472b3986ed5f4c3b1a0c", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "19466bed7c4f7605a6c5066001d33e4cf1ce8497", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 205, "payload_entropy": 5.229868848927875, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8e19921302c1a79b5a131d5dc09c89448af91aec", "event_fingerprint": "71424cf97146120be21ffbc91ec461fd54c341e4", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 57, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "292b6843ab61ff69093df856496e872d", "payload_hash": "fd80741bdb0c6b5a763c3f97ad15d4ae", "path_pattern_hash": "4e42f78bea2104e7cf7ee364ae009f68" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/config\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD; i386; en-US; rv:1.", "method": "GET", "path": "\/config\/application.properties", "user_agent": "Mozilla\/5.0 (X11; U; FreeBSD; i386; en-US; rv:1.7) Gecko", "waf_tags": [ "950326:rce-0", "950468:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/application.properties HTTP\/1.1", "request_sample": "GET \/config\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD; i386; en-US; rv:1.7) Gecko\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD; i386; en-US; rv:1.", "evidence": { "method": "GET", "path": "\/config\/application.properties", "user_agent": "Mozilla\/5.0 (X11; U; FreeBSD; i386; en-US; rv:1.7) Gecko", "waf_tags": [ "950326:rce-0", "950468:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/application.properties HTTP\/1.1", "request_sample": "GET \/config\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD; i386; en-US; rv:1.7) Gecko\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD; i386; en-US; rv:1.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d972a6fbb86ae7c9967b0cec85d0aa2beb63116b", "protocol_details": { "http_method": "GET", "http_path": "\/config\/application.properties", "request_line": "GET \/config\/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; FreeBSD; i386; en-US; rv:1.7) Gecko", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD; i386; en-US; rv:1.", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/application.properties", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 57, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/application.properties", "request_line": "GET \/config\/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; FreeBSD; i386; en-US; rv:1.7) Gecko", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/application.properties", "evidence_snippet": "GET \/config\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD; i386; en-US; rv:1.", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /config/keys.json	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/keys.json UA Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Ge… Émulateur HTTP WAF 12 Recommandation Investiguer Tags 950468:nosqli-3 950470:nosqli-3 http_probe_config net_flood Cible HTTP GET /config/keys.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /config/keys.json Service HTTP Pourquoi cette classification : Tags WAF: nosqli-3 · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/keys.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36 Règles WAF nosqli-3 Payload (extrait) GET /config/keys.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET /config/keys.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "182657c06be8e5d4eefdbb60c971c910232425b7", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "2c78d8f697f91556ab9c3211aab7056a4da36806", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 237, "payload_entropy": 5.367923004819852, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 56, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "74b863af25457383c7718c9ed48e85964e10788b", "event_fingerprint": "3f5d482e13020d7773c66910deddac5842a187d0", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "fd99bbfd37f45f6220b36e6e393bd793", "payload_hash": "c1b2dae1171008eec0ff0c793d16e084", "path_pattern_hash": "bd83815abdfb4c4901e183b4e20e5597" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/config\/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like ", "method": "GET", "path": "\/config\/keys.json", "user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.67 Safari\/537.36", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/config\/keys.json HTTP\/1.1", "request_sample": "GET \/config\/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.67 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like", "evidence": { "method": "GET", "path": "\/config\/keys.json", "user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.67 Safari\/537.36", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/config\/keys.json HTTP\/1.1", "request_sample": "GET \/config\/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.67 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "062fedb06579640bf5a68ad2468ca422bb762553", "protocol_details": { "http_method": "GET", "http_path": "\/config\/keys.json", "request_line": "GET \/config\/keys.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.67 Safari\/537.36", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/keys.json", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/keys.json", "request_line": "GET \/config\/keys.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.67 Safari\/537.36", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/keys.json", "evidence_snippet": "GET \/config\/keys.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 56 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /config/services.php	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/services.php UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/services.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /config/services.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/services.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.10 Safari/537.36 Edg/77.0.235.5 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/services.php HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537. Requête brute (extrait) GET /config/services.php HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.10 Safari/537.36 Edg/77.0.235.5 Accept-Charset: utf-8 Accept-Encoding: gzip Connectio Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "3862d9c82764603f01895b6fbe812ba287bc904f", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "3ca2bec84ec8ba69efd80baa52ae496391a16c98", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 268, "payload_entropy": 5.385702756625398, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ae37e9b4849311c381709ac6a98b819ffb9c59ba", "event_fingerprint": "49fc49c52c7debb01ab4ee1ee5b72e53c84b7e80", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "69da0ec884a4cabd672cf7b733d58e25", "payload_hash": "1119a83d34e39e38f476e6daedd71f62", "path_pattern_hash": "1a4e64bcf01550beeb5ff11653df0118" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/config\/services.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "method": "GET", "path": "\/config\/services.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.10 Safari\/537.36 Edg\/77.0.235.5", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/services.php HTTP\/1.1", "request_sample": "GET \/config\/services.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.10 Safari\/537.36 Edg\/77.0.235.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/config\/services.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/config\/services.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.10 Safari\/537.36 Edg\/77.0.235.5", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/services.php HTTP\/1.1", "request_sample": "GET \/config\/services.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.10 Safari\/537.36 Edg\/77.0.235.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/config\/services.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "78820d2e1dc9623a5f0489157dad55dabac22b30", "protocol_details": { "http_method": "GET", "http_path": "\/config\/services.php", "request_line": "GET \/config\/services.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.10 Safari\/537.36 Edg\/\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/services.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/services.php", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/services.php", "request_line": "GET \/config\/services.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.10 Safari\/537.36 Edg\/\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/services.php", "evidence_snippet": "GET \/config\/services.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /config/mail.php	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/mail.php UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/mail.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /config/mail.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/mail.php HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/mail.php HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, lik Requête brute (extrait) GET /config/mail.php HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "25d4883113108053361b58cbed8e83c55ed1010f", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "a3c407d6a87f65745e0ab4f00693213892a25d7c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 240, "payload_entropy": 5.422094864433271, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ae37e9b4849311c381709ac6a98b819ffb9c59ba", "event_fingerprint": "a2498d0209123724e9103095f49b83e9df16ce45", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ebc68e4ed83b0ed082a932ace80665db", "payload_hash": "c2830cfbb79c059f01b4e06ee3b7b564", "path_pattern_hash": "9f9ddcc3b2a6db2bc31eefdcce505d28" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/config\/mail.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "method": "GET", "path": "\/config\/mail.php", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/mail.php HTTP\/1.1", "request_sample": "GET \/config\/mail.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/mail.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "evidence": { "method": "GET", "path": "\/config\/mail.php", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/mail.php HTTP\/1.1", "request_sample": "GET \/config\/mail.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/mail.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f4900a717332daa8169dac1d778847c718ca79cc", "protocol_details": { "http_method": "GET", "http_path": "\/config\/mail.php", "request_line": "GET \/config\/mail.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Safari\/537.36", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/mail.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/mail.php", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/mail.php", "request_line": "GET \/config\/mail.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Safari\/537.36", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/mail.php", "evidence_snippet": "GET \/config\/mail.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /config/app.php	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/app.php UA Mozilla/5.0 (Linux; Android 7.0; SM-G925F) AppleWebKit/537.36 (… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/app.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /config/app.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/app.php HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; SM-G925F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/app.php HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; Android 7.0; SM-G925F) AppleWebKit/537.36 ( Requête brute (extrait) GET /config/app.php HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; Android 7.0; SM-G925F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "cbbde95e6d477084030082a4121b49463aa43627", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "4d388b5973ca832ef2abea7dc7b3d1d0491429b6", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.404927060172422, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ae37e9b4849311c381709ac6a98b819ffb9c59ba", "event_fingerprint": "0872fe3e645d4c8b4e65fc08b86cca2f1f7cd9e9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7380681ea4b51b23e77acae1e6f261d1", "payload_hash": "5b60945a9c65a69fb794f6fe448bcc4d", "path_pattern_hash": "1bde6fec443f458560d30e82dbf9f869" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/config\/app.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-G925F) AppleWebKit\/537.36 (", "method": "GET", "path": "\/config\/app.php", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-G925F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/app.php HTTP\/1.1", "request_sample": "GET \/config\/app.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-G925F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/config\/app.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-G925F) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/config\/app.php", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-G925F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/app.php HTTP\/1.1", "request_sample": "GET \/config\/app.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-G925F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/config\/app.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-G925F) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0eb9e9dcadf2ec0bd8754caef0ff3a3313151001", "protocol_details": { "http_method": "GET", "http_path": "\/config\/app.php", "request_line": "GET \/config\/app.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-G925F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/53\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/app.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-G925F) AppleWebKit\/537.36 (", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/app.php", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/app.php", "request_line": "GET \/config\/app.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-G925F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/53\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/app.php", "evidence_snippet": "GET \/config\/app.php HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-G925F) AppleWebKit\/537.36 (", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7373 · (tentative d'exploit) · → /services/config.json	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /services/config.json UA Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Epiphany… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /services/config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /services/config.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /services/config.json HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Epiphany/1.2.5 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /services/config.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Ep Requête brute (extrait) GET /services/config.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Epiphany/1.2.5 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "ecb1dd60194d80cee5b933a3a690e5d4025d6333", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "849650fda3ca7d8e7fb5a869d1e03c4ddb7e054b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.283350889518033, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3fb145b4a7162fd2843d6351dcff7780b7368321", "event_fingerprint": "36295795796d911e36f666cb8a1dc8aa2306ecbf", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3404eb858bcbf0dde5901c9d2466e76f", "payload_hash": "ca2435abbfd466f16b121e7e16e5606c", "path_pattern_hash": "1c9a0086526de918aaad2c3c4d637227" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/services\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Ep", "method": "GET", "path": "\/services\/config.json", "user_agent": "Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Epiphany\/1.2.5", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/services\/config.json HTTP\/1.1", "request_sample": "GET \/services\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Epiphany\/1.2.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/services\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Ep", "evidence": { "method": "GET", "path": "\/services\/config.json", "user_agent": "Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Epiphany\/1.2.5", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/services\/config.json HTTP\/1.1", "request_sample": "GET \/services\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Epiphany\/1.2.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/services\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Ep", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf04ff6d36dd6cf31e45d43613ea198909053389", "protocol_details": { "http_method": "GET", "http_path": "\/services\/config.json", "request_line": "GET \/services\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Epiphany\/1.2.5", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/services\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Ep", "attack_vector": "config file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/config.json", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/services\/config.json", "request_line": "GET \/services\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Epiphany\/1.2.5", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/config.json", "evidence_snippet": "GET \/services\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Ep", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7373 · (tentative d'exploit) · → /internal/config.json	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /internal/config.json UA Mozilla/5.0 (Linux; Android 6.0.1; SM-G900F) AppleWebKit/537.36… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_internal Cible HTTP GET /internal/config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /internal/config.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /internal/config.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 6.0.1; SM-G900F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /internal/config.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-G900F) AppleWebKit/ Requête brute (extrait) GET /internal/config.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-G900F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "d42e15fb235fa6871988e0c1462395e181e7e6a6", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "37c197fe9359087d8eaa32bd64802e5cf10f3318", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 265, "payload_entropy": 5.381927341073019, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.3, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "94fb632f5275c79f3df4fe8809e58753d32f4e0a", "event_fingerprint": "4fd878dc76333f9f7d8997b60d8955c811cfa23a", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7d37f0bdbf685d31cafbcac854985c6e", "payload_hash": "3ffa04da8ba4726f1db695e094d70e68", "path_pattern_hash": "d046288edb8a0675371a7426276833c2" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/internal\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-G900F) AppleWebKit\/", "method": "GET", "path": "\/internal\/config.json", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; SM-G900F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/internal\/config.json HTTP\/1.1", "request_sample": "GET \/internal\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-G900F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/internal\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-G900F) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/internal\/config.json", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; SM-G900F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/internal\/config.json HTTP\/1.1", "request_sample": "GET \/internal\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-G900F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/internal\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-G900F) AppleWebKit\/", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "08fd106f75c6d997243983df2b97970a1d1a0a8f", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/config.json", "request_line": "GET \/internal\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; SM-G900F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/internal\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-G900F) AppleWebKit\/", "attack_vector": "config file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/config.json", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/config.json", "request_line": "GET \/internal\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; SM-G900F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/config.json", "evidence_snippet": "GET \/internal\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-G900F) AppleWebKit\/", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_internal", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:7373 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7373 Chemin / cible — Service TLS Payload ��Ԫ��F T�9�z}X��m� ��η]�^,[��= ��/�<QC�k"�}&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Ԫ��F T�9�z}X��m� ��η]�^,[��=��/�<QC�k"�}&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Ԫ��F T�9�z}X��m� ��η]�^,[��= ��/�<QC�k"�}&�+�/�,�0̨̩� �� /5� w �+3&$ [�!ױ��H�Ϗ��CY�F�/)܉�P�[R Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.764521630395292, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8aa0986985b15fad944749be675067b127bd5dfd", "event_fingerprint": "80ae7b245ee692f04eaae628590d47ffc7bce516", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "71f058c78097b14c0427b6860a2c2818", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7373, "service": "tls", "service_name": "tls", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u052a\ufffd\ufffd\ufffd\ufffd\u0006\u001fF\nT\u0013\u0001\ufffd9\ufffdz\u0010}X\ufffd\ufffd\u0003\ufffd\ufffd\ufffdm\ufffd \ufffd\ufffd\u03b7]\ufffd^\u0010,[\ufffd\ufffd=\f\u0016\ufffd\ufffd\ufffd\u0014\ufffd\u0007\ufffd\/\ufffd<QC\ufffdk\"\ufffd}\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u052a\ufffd\ufffd\ufffd\ufffd\u0006\u001fF\nT\u0013\u0001\ufffd9\ufffdz\u0010}X\ufffd\ufffd\u0003\ufffd\ufffd\ufffdm\ufffd \ufffd\ufffd\u03b7]\ufffd^\u0010,[\ufffd\ufffd=\f\u0016\ufffd\ufffd\ufffd\u0014\ufffd\u0007\ufffd\/\ufffd<QC\ufffdk\"\ufffd}\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 [\ufffd!\u05f1\ufffd\ufffdH\ufffd\u03cf\ufffd\ufffd\ufffdC\u0012\u0013Y\ufffdF\u0018\ufffd\/)\u0709\ufffdP\ufffd[R\u0013", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u052a\ufffd\ufffd\ufffd\ufffd\u0006\u001fF\nT\u0013\u0001\ufffd9\ufffdz\u0010}X\ufffd\ufffd\u0003\ufffd\ufffd\ufffdm\ufffd \ufffd\ufffd\u03b7]\ufffd^\u0010,[\ufffd\ufffd=\f\u0016\ufffd\ufffd\ufffd\u0014\ufffd\u0007\ufffd\/\ufffd<QC\ufffdk\"\ufffd}\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c2ec5a9c3d36981fe83ae20d1ccf64f485801715", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u052a\ufffd\ufffd\ufffd\ufffd\u0006\u001fF\nT\u0013\u0001\ufffd9\ufffdz\u0010}X\ufffd\ufffd\u0003\ufffd\ufffd\ufffdm\ufffd \ufffd\ufffd\u03b7]\ufffd^\u0010,[\ufffd\ufffd=\f\u0016\ufffd\ufffd\ufffd\u0014\ufffd\u0007\ufffd\/\ufffd<QC\ufffdk\"\ufffd}\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\u052a\ufffd\ufffd\ufffd\ufffdF\nT\ufffd9\ufffdz}X\ufffd\ufffd\ufffd\ufffd\ufffdm\ufffd \ufffd\ufffd\u03b7]\ufffd^,[\ufffd\ufffd=\ufffd\ufffd\ufffd\ufffd\ufffd\/\ufffd<QC\ufffdk\"\ufffd}&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u052a\ufffd\ufffd\ufffd\ufffd\u0006\u001fF\nT\u0013\u0001\ufffd9\ufffdz\u0010}X\ufffd\ufffd\u0003\ufffd\ufffd\ufffdm\ufffd \ufffd\ufffd\u03b7]\ufffd^\u0010,[\ufffd\ufffd=\f\u0016\ufffd\ufffd\ufffd\u0014\ufffd\u0007\ufffd\/\ufffd<QC\ufffdk\"\ufffd}\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\u052a\ufffd\ufffd\ufffd\ufffdF\nT\ufffd9\ufffdz}X\ufffd\ufffd\ufffd\ufffd\ufffdm\ufffd \ufffd\ufffd\u03b7]\ufffd^,[\ufffd\ufffd=\ufffd\ufffd\ufffd\ufffd\ufffd\/\ufffd<QC\ufffdk\"\ufffd}&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /internal/config.yml	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /internal/config.yml UA Mozilla/5.0 (X11; Linux i686; rv:46.0) Gecko/20100101 Firefox/4… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_internal Cible HTTP GET /internal/config.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /internal/config.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /internal/config.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:46.0) Gecko/20100101 Firefox/46.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /internal/config.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:46.0) Gecko/20100101 Fire Requête brute (extrait) GET /internal/config.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:46.0) Gecko/20100101 Firefox/46.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "ed562f4ce0ce36d4da8120f8a185ebd7d4f96b75", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "84b99aee73556df7a4efeffa522f9587a983cdbf", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 205, "payload_entropy": 5.306499779978476, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "fd4c68d6729f48de36a9dad435385ef6f36b92b3", "event_fingerprint": "ae92352a58dabe58b536d1da4c5123c5ccb64394", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c3b8ffd6d4f92441ef5d8e508ab43875", "payload_hash": "c1e53501a4a5dc17d15f9b6870841f2b", "path_pattern_hash": "2e4a225629002cdfe7eaf4ad6aeee5e3" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/internal\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Fire", "method": "GET", "path": "\/internal\/config.yml", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/internal\/config.yml HTTP\/1.1", "request_sample": "GET \/internal\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/internal\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Fire", "evidence": { "method": "GET", "path": "\/internal\/config.yml", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/internal\/config.yml HTTP\/1.1", "request_sample": "GET \/internal\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/internal\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Fire", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "779aff2db1038acdbe39dd4a19e3a2e2f3b9b25c", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/config.yml", "request_line": "GET \/internal\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/internal\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Fire", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/config.yml", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/config.yml", "request_line": "GET \/internal\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/config.yml", "evidence_snippet": "GET \/internal\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Fire", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_internal", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /services/config.yml	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /services/config.yml UA Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebK… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /services/config.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /services/config.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /services/config.yml HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /services/config.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) Appl Requête brute (extrait) GET /services/config.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13C75 Safari/601.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connec Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "fad7384d223ed4e6d873d03a31cc652b3a35a481", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "2d88915b17a3e9417f411d093261d57afedac11a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 271, "payload_entropy": 5.398519277978781, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 64, "tag_count": 4, "anomaly_count": 0, "campaign_key": "05f3bd052b9cff3160d287bf5c585185b75cabc0", "event_fingerprint": "7f23ac3586ffc6aca274d026b1f37b2e35641849", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "10b88c33b1902b306bc263bae39aa836", "payload_hash": "8a5b530cf5a9c42489640a113d845bf5", "path_pattern_hash": "c77847d5436776141786847bba665ee6" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/services\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) Appl", "method": "GET", "path": "\/services\/config.yml", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit\/601.1.46 (KHTML, like Gecko) Version\/9.0 Mobile\/13C75 Safari\/601.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/services\/config.yml HTTP\/1.1", "request_sample": "GET \/services\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit\/601.1.46 (KHTML, like Gecko) Version\/9.0 Mobile\/13C75 Safari\/601.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec", "payload_snippet": "GET \/services\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) Appl", "evidence": { "method": "GET", "path": "\/services\/config.yml", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit\/601.1.46 (KHTML, like Gecko) Version\/9.0 Mobile\/13C75 Safari\/601.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/services\/config.yml HTTP\/1.1", "request_sample": "GET \/services\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit\/601.1.46 (KHTML, like Gecko) Version\/9.0 Mobile\/13C75 Safari\/601.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec", "payload_snippet": "GET \/services\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) Appl", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9e52d00ec838baa92d3a0974a4a5ac502e5348ab", "protocol_details": { "http_method": "GET", "http_path": "\/services\/config.yml", "request_line": "GET \/services\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit\/601.1.46 (KHTML, like Gecko) Version\/9.0 Mobile\/13C75\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/services\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) Appl", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/config.yml", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/services\/config.yml", "request_line": "GET \/services\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit\/601.1.46 (KHTML, like Gecko) Version\/9.0 Mobile\/13C75\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/config.yml", "evidence_snippet": "GET \/services\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) Appl", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7373 · (tentative d'exploit) · → /private/config.json	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /private/config.json UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_private Cible HTTP GET /private/config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /private/config.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /private/config.json HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /private/config.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi Requête brute (extrait) GET /private/config.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "4b4d44441cea9a6f69a04e397b310dcf47145d82", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "9da8385e7491d9f52a230e3a1c8c565aba119417", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.396325714709017, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.3, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c1e4d9747e66cc364ea627e95d4fb34a9e73b7d5", "event_fingerprint": "c0dd22513d6f7184439c7679e3e02c810375a9ad", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "410496fe29d0f9f579c9e4e5eacd1182", "payload_hash": "e69c07968d42fbd63ba3d8e0163a9053", "path_pattern_hash": "a8e2e774a183bdb09e7d488718c8d6ab" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi", "method": "GET", "path": "\/private\/config.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private\/config.json HTTP\/1.1", "request_sample": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi", "evidence": { "method": "GET", "path": "\/private\/config.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private\/config.json HTTP\/1.1", "request_sample": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a8ddf5b85d06c1851d4d1111377faf83e6ba0f7c", "protocol_details": { "http_method": "GET", "http_path": "\/private\/config.json", "request_line": "GET \/private\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.0 Safari\/537.36", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi", "attack_vector": "config file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private\/config.json", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/private\/config.json", "request_line": "GET \/private\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.0 Safari\/537.36", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private\/config.json", "evidence_snippet": "GET \/private\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_private", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /services/application.yml	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /services/application.yml UA Mozilla/4.0 (PSP (PlayStation Portable); 2.00) Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 net_flood Cible HTTP GET /services/application.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /services/application.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /services/application.yml HTTP/1.1` User-Agent Mozilla/4.0 (PSP (PlayStation Portable); 2.00) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /services/application.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/4.0 (PSP (PlayStation Portable); 2.00) Accep Requête brute (extrait) GET /services/application.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/4.0 (PSP (PlayStation Portable); 2.00) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "0259b0a6e9b661df49adf36e35aad2ba1cf30207", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "55b6d2ef8836af67e6f27bf09e5982be1b55ff6c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 190, "payload_entropy": 5.21850833046081, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f2d6497ce7855945b4be90f00f56157e235ae257", "event_fingerprint": "0fa9586c5ce6450264579d2f3410ea922b7d9c7d", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "23cef6c3f06394596e11a276d5422da4", "payload_hash": "0ee7627d6caa44051c827bf17377a48c", "path_pattern_hash": "427a79bd587af67e27894e14297375f5" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)\r\nAccep", "method": "GET", "path": "\/services\/application.yml", "user_agent": "Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/services\/application.yml HTTP\/1.1", "request_sample": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)\r\nAccep", "evidence": { "method": "GET", "path": "\/services\/application.yml", "user_agent": "Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/services\/application.yml HTTP\/1.1", "request_sample": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)\r\nAccep", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4d257397a37bea013fc4511735a65def7bc70acc", "protocol_details": { "http_method": "GET", "http_path": "\/services\/application.yml", "request_line": "GET \/services\/application.yml HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)\r\nAccep", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/application.yml", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/services\/application.yml", "request_line": "GET \/services\/application.yml HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/application.yml", "evidence_snippet": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/4.0 (PSP (PlayStation Portable); 2.00)\r\nAccep", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:7373 · (tentative d'exploit) · → /internal/credentials.json	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /internal/credentials.json UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_internal Cible HTTP GET /internal/credentials.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /internal/credentials.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux pat-0472 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Credentials JSON Ligne de requête `GET /internal/credentials.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /internal/credentials.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537. Requête brute (extrait) GET /internal/credentials.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "4e40b754177d1f49692ed041d7676835db2f8a37", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "67a2d20eccea3e1476efbd10b6c219968bcd3d37", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.382724204836932, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c3dfdd8079cb80ef0f9e4dbab6ebc3fec21d5a45", "event_fingerprint": "ad5eb257b020b0796147edd21745fec06ee6cb7f", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0472" ], "matched_pattern_names": [ "Cred Credentials JSON" ], "pattern_ids": [ "pat-0472" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7697b1a321cff681099e6e1cb67176ea", "payload_hash": "f842a5e8c3965b76cfd42baeea7b9368", "path_pattern_hash": "a92d8e41a7082a2d86555abaec1a1134" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/internal\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.", "method": "GET", "path": "\/internal\/credentials.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/internal\/credentials.json HTTP\/1.1", "request_sample": "GET \/internal\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/internal\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/internal\/credentials.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/internal\/credentials.json HTTP\/1.1", "request_sample": "GET \/internal\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/internal\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e7d116d3e6607f7623e17553c5aa874b9149d8d9", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/credentials.json", "request_line": "GET \/internal\/credentials.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/internal\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.", "attack_vector": "credential file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/credentials.json", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "pat-0472", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0472", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/credentials.json", "request_line": "GET \/internal\/credentials.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/credentials.json", "evidence_snippet": "GET \/internal\/credentials.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_internal", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /services/database.yml	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /services/database.yml UA Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko/200… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /services/database.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /services/database.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Database YAML Ligne de requête `GET /services/database.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko/2008092814 (Debian-3.0.1-1) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /services/database.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Ge Requête brute (extrait) GET /services/database.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko/2008092814 (Debian-3.0.1-1) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "af95654136764219f3e1be062b59f67c138da948", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "f7bb9e40fee8cec674637bbf331e53a5b8590736", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 228, "payload_entropy": 5.41583535984689, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 64, "tag_count": 4, "anomaly_count": 0, "campaign_key": "05f3bd052b9cff3160d287bf5c585185b75cabc0", "event_fingerprint": "330626ff62a4d4985c6bc17a4934467f60f6f6bc", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0474" ], "matched_pattern_names": [ "Cred Database YAML" ], "pattern_ids": [ "pat-0474" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6ad009cbfe015d0ea51aa1bd68d4dfd3", "payload_hash": "d3344cc99b06c394b75c88ac761de778", "path_pattern_hash": "95fb64daae7070423a309432871be5ab" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/services\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Ge", "method": "GET", "path": "\/services\/database.yml", "user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814 (Debian-3.0.1-1)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/services\/database.yml HTTP\/1.1", "request_sample": "GET \/services\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814 (Debian-3.0.1-1)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/services\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Ge", "evidence": { "method": "GET", "path": "\/services\/database.yml", "user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814 (Debian-3.0.1-1)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/services\/database.yml HTTP\/1.1", "request_sample": "GET \/services\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814 (Debian-3.0.1-1)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/services\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Ge", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "54fbce7bcd4946f3a9a7bfb49c90b827b2637990", "protocol_details": { "http_method": "GET", "http_path": "\/services\/database.yml", "request_line": "GET \/services\/database.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814 (Debian-3.0.1-1)", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/services\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Ge", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/database.yml", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/services\/database.yml", "request_line": "GET \/services\/database.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814 (Debian-3.0.1-1)", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/database.yml", "evidence_snippet": "GET \/services\/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Ge", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:7373 · (tentative d'exploit) · → /services/secrets.json	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /services/secrets.json UA Mozilla/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit/537.36… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_k8s_probe Cible HTTP GET /services/secrets.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /services/secrets.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux pat-0496 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Secrets JSON file Ligne de requête `GET /services/secrets.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /services/secrets.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit Requête brute (extrait) GET /services/secrets.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "8cbbda8cc9be4123eddc2785867e3c97fb0c8a52", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "e5f28d9dabe348c75152a0d03b8af3948967c412", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 265, "payload_entropy": 5.368520624601232, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "4f00f525fdd7ff927ed76b52298b4164a2ee3153", "event_fingerprint": "c8f0e220cea6cb9544c5199f725f3555f9ef2a2a", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0496" ], "matched_pattern_names": [ "Cred Secrets JSON file" ], "pattern_ids": [ "pat-0496" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f96952febd4c91672db1b557bbdb9d87", "payload_hash": "83e2624c9ba709c9eb049cd85dee6270", "path_pattern_hash": "e5ca14018f208a625d89b1bb0ac742c9" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/services\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit", "method": "GET", "path": "\/services\/secrets.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/services\/secrets.json HTTP\/1.1", "request_sample": "GET \/services\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/services\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit", "evidence": { "method": "GET", "path": "\/services\/secrets.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/services\/secrets.json HTTP\/1.1", "request_sample": "GET \/services\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/services\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "46d80cf71812bd3f0f4100a5fd6beeb1ed918894", "protocol_details": { "http_method": "GET", "http_path": "\/services\/secrets.json", "request_line": "GET \/services\/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/services\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit", "attack_vector": "credential file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/secrets.json", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0496", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/services\/secrets.json", "request_line": "GET \/services\/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/secrets.json", "evidence_snippet": "GET \/services\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_k8s_probe", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:7373 · (tentative d'exploit) · → /internal/secrets.json	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /internal/secrets.json UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_k8s_probe Cible HTTP GET /internal/secrets.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /internal/secrets.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux pat-0496 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Secrets JSON file Ligne de requête `GET /internal/secrets.json HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) snap Chromium/75.0.3770.142 Chrome/75.0.3770.142 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /internal/secrets.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /internal/secrets.json HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) snap Chromium/75.0.3770.142 Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Con Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "cc917cf6074a981fb70c378babfd8df895e5c3b7", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "e7406b4d8f1796ab257c40ae6f6c0b897e45a189", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 274, "payload_entropy": 5.394033346936904, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.3, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "03d17879dd1ad3b68a2dfc1ce12e4e8fb1b4f97d", "event_fingerprint": "0122d316bda5ab58be34f32860aca4f30324465f", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0496" ], "matched_pattern_names": [ "Cred Secrets JSON file" ], "pattern_ids": [ "pat-0496" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "95ddbe0b148dd48d21844dff1d496cdc", "payload_hash": "f4b444adb9ff4de96913aa041e463013", "path_pattern_hash": "d62c78f7ba64ca452bd03619c00c7af4" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/internal\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/internal\/secrets.json", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) snap Chromium\/75.0.3770.142 Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/internal\/secrets.json HTTP\/1.1", "request_sample": "GET \/internal\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) snap Chromium\/75.0.3770.142 Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/internal\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/internal\/secrets.json", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) snap Chromium\/75.0.3770.142 Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/internal\/secrets.json HTTP\/1.1", "request_sample": "GET \/internal\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) snap Chromium\/75.0.3770.142 Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/internal\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "db80cb5bf227f5f22c3ba1bbcff40d3507c3e556", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/secrets.json", "request_line": "GET \/internal\/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) snap Chromium\/75.0.3770.142 Chrome\/75.0.3770.142\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/internal\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "attack_vector": "credential file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/secrets.json", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0496", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/secrets.json", "request_line": "GET \/internal\/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) snap Chromium\/75.0.3770.142 Chrome\/75.0.3770.142\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/secrets.json", "evidence_snippet": "GET \/internal\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_k8s_probe", "http_probe_internal", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:7373 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7373 Chemin / cible — Service TLS Payload ��9\|��Ľ�o�C,]��u+5��{F�)� 7i�X5��Q=VC�˓ ӈ��-�G��衅�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��9\|��Ľ�o�C,]��u+5��{F�)� 7i�X5��Q=VC�˓ ӈ��-�G��衅�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��9\|��Ľ�o�C,]��u+5��{F�)� 7i�X5��Q=VC�˓ ӈ��-�G��衅�&�+�/�,�0̨̩� �� /5� w �+3&$ �~TgN-��]ƼC �p��p�\Д�XP6m Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.781179312817168, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8aa0986985b15fad944749be675067b127bd5dfd", "event_fingerprint": "80ae7b245ee692f04eaae628590d47ffc7bce516", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "525c42d69f98ee9094a3b8392b8f5e5c", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7373, "service": "tls", "service_name": "tls", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd9\u0002\|\ufffd\ufffd\u013d\ufffdo\ufffdC,]\ufffd\ufffd\ufffdu+5\ufffd\ufffd\ufffd\ufffd\ufffd\u0002{F\ufffd)\ufffd 7i\ufffdX5\ufffd\u0004\ufffd\ufffdQ=VC\ufffd\u02d3\r\u04c8\ufffd\ufffd-\u0004\ufffdG\ufffd\ufffd\u8845\ufffd\u0013\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd9\u0002\|\ufffd\ufffd\u013d\ufffdo\ufffdC,]\ufffd\ufffd\ufffdu+5\ufffd\ufffd\ufffd\ufffd\ufffd\u0002{F\ufffd)\ufffd 7i\ufffdX5\ufffd\u0004\ufffd\ufffdQ=VC\ufffd\u02d3\r\u04c8\ufffd\ufffd-\u0004\ufffdG\ufffd\ufffd\u8845\ufffd\u0013\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd~TgN-\ufffd\ufffd]\u01bcC\b\n\u001d\ufffdp\u0093\ufffd\ufffdp\ufffd\\\u0414\u0001\ufffdXP6m", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd9\u0002\|\ufffd\ufffd\u013d\ufffdo\ufffdC,]\ufffd\ufffd\ufffdu+5\ufffd\ufffd\ufffd\ufffd\ufffd\u0002{F\ufffd)\ufffd 7i\ufffdX5\ufffd\u0004\ufffd\ufffdQ=VC\ufffd\u02d3\r\u04c8\ufffd\ufffd-\u0004\ufffdG\ufffd\ufffd\u8845\ufffd\u0013\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "007a4951898bb5ed78bd88f515d91099935884b1", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd9\u0002\|\ufffd\ufffd\u013d\ufffdo\ufffdC,]\ufffd\ufffd\ufffdu+5\ufffd\ufffd\ufffd\ufffd\ufffd\u0002{F\ufffd)\ufffd 7i\ufffdX5\ufffd\u0004\ufffd\ufffdQ=VC\ufffd\u02d3\r\u04c8\ufffd\ufffd-\u0004\ufffdG\ufffd\ufffd\u8845\ufffd\u0013\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd9\|\ufffd\ufffd\u013d\ufffdo\ufffdC,]\ufffd\ufffd\ufffdu+5\ufffd\ufffd\ufffd\ufffd\ufffd{F\ufffd)\ufffd 7i\ufffdX5\ufffd\ufffd\ufffdQ=VC\ufffd\u02d3\r\u04c8\ufffd\ufffd-\ufffdG\ufffd\ufffd\u8845\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd9\u0002\|\ufffd\ufffd\u013d\ufffdo\ufffdC,]\ufffd\ufffd\ufffdu+5\ufffd\ufffd\ufffd\ufffd\ufffd\u0002{F\ufffd)\ufffd 7i\ufffdX5\ufffd\u0004\ufffd\ufffdQ=VC\ufffd\u02d3\r\u04c8\ufffd\ufffd-\u0004\ufffdG\ufffd\ufffd\u8845\ufffd\u0013\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd9\|\ufffd\ufffd\u013d\ufffdo\ufffdC,]\ufffd\ufffd\ufffdu+5\ufffd\ufffd\ufffd\ufffd\ufffd{F\ufffd)\ufffd 7i\ufffdX5\ufffd\ufffd\ufffdQ=VC\ufffd\u02d3\r\u04c8\ufffd\ufffd-\ufffdG\ufffd\ufffd\u8845\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · HTTP	http	Flood / DDoS http flood · via HTTP:7373 · (tentative d'exploit) · → /app/config/parameters.yml	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app/config/parameters.yml UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /app/config/parameters.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible /app/config/parameters.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/config/parameters.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 YaBrowser/19.7.3.172 Yowser/2.5 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app/config/parameters.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537. Requête brute (extrait) GET /app/config/parameters.yml HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 YaBrowser/19.7.3.172 Yowser/2.5 Safari/537.36 Accept-Charset: utf-8 Accept-Encodin Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "843826985604d07c966861fd7b6f38fd550e66f6", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "cc8382c07ae1d99dcd8bb8a9e6a6c1ada2d7d586", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 286, "payload_entropy": 5.419639505748741, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 64, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bab03f20c37d1f7247a4f1b9166bd5390cc9877d", "event_fingerprint": "0027e54c8b17836704bf853bdd10ec21a6e6e68d", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ff0a275ce4a567dd0e86c420c96ff2e2", "payload_hash": "defdaa9290e26b16af55a57e97c684f9", "path_pattern_hash": "14e465936c1b9cf9455ba711f44752e2" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.", "method": "GET", "path": "\/app\/config\/parameters.yml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.3.172 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.3.172 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encodin", "payload_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/app\/config\/parameters.yml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.3.172 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.3.172 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encodin", "payload_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3f198feb88493894a2d8e7e0db803f0f3706d349", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yml", "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.3.172 Yo\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.", "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config\/parameters.yml", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yml", "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.3.172 Yo\u2026", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7373 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config\/parameters.yml", "evidence_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:7373 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7373 Chemin / cible — Service TLS Payload ��9y��:�Aj��D&��h8RC��T}� � �ۻzcEd��ӡ�� )C��i�2c��ø�Ȱ��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��9y��:�Aj��D&��h8RC��T}� � �ۻzcEd��ӡ�� )C��i�2c��ø�Ȱ��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��9y��:�Aj��D&��h8RC��T}� � �ۻzcEd��ӡ�� )C��i�2c��ø�Ȱ��&�+�/�,�0̨̩� �� /5� w �+3&$ ��D?�6�7�k߲��p��"�F x�y! Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.876122966024212, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8aa0986985b15fad944749be675067b127bd5dfd", "event_fingerprint": "80ae7b245ee692f04eaae628590d47ffc7bce516", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "8b6f38176206c73e303cbbef9f79a3e3", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7373, "service": "tls", "service_name": "tls", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd9y\ufffd\u0003\ufffd:\ufffdAj\ufffd\ufffd\ufffdD&\ufffd\ufffdh8\u0016RC\ufffd\ufffdT}\ufffd\t\ufffd \ufffd\u06fbzcEd\ufffd\ufffd\u04e1\ufffd\ufffd\ufffd\n)C\ufffd\ufffdi\ufffd2c\ufffd\ufffd\u00f8\ufffd\u0230\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd9y\ufffd\u0003\ufffd:\ufffdAj\ufffd\ufffd\ufffdD&\ufffd\ufffdh8\u0016RC\ufffd\ufffdT}\ufffd\t\ufffd \ufffd\u06fbzcEd\ufffd\ufffd\u04e1\ufffd\ufffd\ufffd\n)C\ufffd\ufffdi\ufffd2c\ufffd\ufffd\u00f8\ufffd\u0230\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\u0018\u0016D?\ufffd6\ufffd7\ufffdk\u07f2\ufffd\ufffd\ufffd\u001ap\ufffd\ufffd\"\ufffdF\u000bx\u000f\ufffdy\u0007!", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd9y\ufffd\u0003\ufffd:\ufffdAj\ufffd\ufffd\ufffdD&\ufffd\ufffdh8\u0016RC\ufffd\ufffdT}\ufffd\t\ufffd \ufffd\u06fbzcEd\ufffd\ufffd\u04e1\ufffd\ufffd\ufffd\n)C\ufffd\ufffdi\ufffd2c\ufffd\ufffd\u00f8\ufffd\u0230\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a3863fdadddb17b2287e158e3a1760f5ee7c874d", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd9y\ufffd\u0003\ufffd:\ufffdAj\ufffd\ufffd\ufffdD&\ufffd\ufffdh8\u0016RC\ufffd\ufffdT}\ufffd\t\ufffd \ufffd\u06fbzcEd\ufffd\ufffd\u04e1\ufffd\ufffd\ufffd\n)C\ufffd\ufffdi\ufffd2c\ufffd\ufffd\u00f8\ufffd\u0230\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd9y\ufffd\ufffd:\ufffdAj\ufffd\ufffd\ufffdD&\ufffd\ufffdh8RC\ufffd\ufffdT}\ufffd\t\ufffd \ufffd\u06fbzcEd\ufffd\ufffd\u04e1\ufffd\ufffd\ufffd\n)C\ufffd\ufffdi\ufffd2c\ufffd\ufffd\u00f8\ufffd\u0230\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd9y\ufffd\u0003\ufffd:\ufffdAj\ufffd\ufffd\ufffdD&\ufffd\ufffdh8\u0016RC\ufffd\ufffdT}\ufffd\t\ufffd \ufffd\u06fbzcEd\ufffd\ufffd\u04e1\ufffd\ufffd\ufffd\n)C\ufffd\ufffdi\ufffd2c\ufffd\ufffd\u00f8\ufffd\u0230\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd9y\ufffd\ufffd:\ufffdAj\ufffd\ufffd\ufffdD&\ufffd\ufffdh8RC\ufffd\ufffdT}*\ufffd\t\ufffd \ufffd\u06fbzcEd\ufffd\ufffd\u04e1\ufffd\ufffd\ufffd\n)C\ufffd\ufffdi\ufffd2c\ufffd\ufffd\u00f8\ufffd\u0230\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:7373 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7373 Chemin / cible — Service TLS Payload �� q��n�u��56xҐV�=��O6=0ׁ 1q4X� '��j+�z�=�&W3��?�;�Xj&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �� q��n�u��56xҐV�=��O6=0ׁ 1q4X� '��j+�z�=�&W3��?�;�Xj&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) �� q��n�u��56xҐV�=��O6=0ׁ 1q4X� '��j+�z�=�&W3��?�;�Xj&�+�/�,�0̨̩� �� /5� w �+3&$ Dd&��o'�}��'p�~w=�F{ Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.755809629195079, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8aa0986985b15fad944749be675067b127bd5dfd", "event_fingerprint": "80ae7b245ee692f04eaae628590d47ffc7bce516", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "4b5ba74605cc474ab83d8e21ae760427", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7373, "service": "tls", "service_name": "tls", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\nq\ufffd\ufffdn\ufffdu\ufffd\u001e\ufffd56\u0016x\u0490V\ufffd=\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdO6=0\u05c1 1q\u0006\u00034X\ufffd\n'\ufffd\ufffdj+\ufffdz\u001a\ufffd\u0010=\ufffd&W3\ufffd\ufffd?\ufffd;\u001e\ufffdXj\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\nq\ufffd\ufffdn\ufffdu\ufffd\u001e\ufffd56\u0016x\u0490V\ufffd=\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdO6=0\u05c1 1q\u0006\u00034X\ufffd\n'\ufffd\ufffdj+\ufffdz\u001a\ufffd\u0010=\ufffd&W3\ufffd\ufffd?\ufffd;\u001e\ufffdXj\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 D\u001ed\u0017&\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdo'\ufffd\u0017}\ufffd\ufffd'p\u0002\ufffd~w=\u0007\ufffd\u001dF{", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\nq\ufffd\ufffdn\ufffdu\ufffd\u001e\ufffd56\u0016x\u0490V\ufffd=\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdO6=0\u05c1 1q\u0006\u00034X\ufffd\n'\ufffd\ufffdj+\ufffdz\u001a\ufffd\u0010=\ufffd&W3\ufffd\ufffd?\ufffd;\u001e\ufffdXj\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e21facb6f75063f0fd52428e7dc462d9b2335610", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\nq\ufffd\ufffdn\ufffdu\ufffd\u001e\ufffd56\u0016x\u0490V\ufffd=\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdO6=0\u05c1 1q\u0006\u00034X\ufffd\n'\ufffd\ufffdj+\ufffdz\u001a\ufffd\u0010=\ufffd&W3\ufffd\ufffd?\ufffd;\u001e\ufffdXj\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\nq\ufffd\ufffdn\ufffdu\ufffd\ufffd56x\u0490V\ufffd=\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdO6=0\u05c1 1q4X\ufffd\n'\ufffd\ufffdj+\ufffdz\ufffd=\ufffd&W3\ufffd\ufffd?\ufffd;\ufffdXj&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\nq\ufffd\ufffdn\ufffdu\ufffd\u001e\ufffd56\u0016x\u0490V\ufffd=\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdO6=0\u05c1 1q\u0006\u00034X\ufffd\n'\ufffd\ufffdj+\ufffdz\u001a\ufffd\u0010=\ufffd&W3\ufffd\ufffd?\ufffd;\u001e\ufffdXj\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\nq\ufffd\ufffdn\ufffdu\ufffd\ufffd56x\u0490V\ufffd=\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdO6=0\u05c1 1q4X\ufffd\n'\ufffd\ufffdj+\ufffdz\ufffd=\ufffd&W3\ufffd\ufffd?\ufffd;\ufffdXj&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
14/06/2026 15:21:50 UTC	TCP	7373 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:7373 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7373 Chemin / cible — Service TLS Payload ��ߖ� A ��X��y,[�q��Z< 8y�+�\z�?��=>.}o Z�C�9�_D�p��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��ߖ� A��X��y,[�q��Z< 8y�+�\z�?��=>.}o Z�C�9�_D�p��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��ߖ� A ��X��y,[�q��Z< 8y�+�\z�?��=>.}o Z�C�9�_D�p��&�+�/�,�0̨̩� �� /5� w �+3&$ �Y=�^_��&юz�)�[�6 �;��O. Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.842115328316998, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "BR", "dst_port": 7373, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8aa0986985b15fad944749be675067b127bd5dfd", "event_fingerprint": "80ae7b245ee692f04eaae628590d47ffc7bce516", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "eeb43646b0e3950d5208ada85016d64b", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7373, "service": "tls", "service_name": "tls", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u07d6\u0012\ufffd A\f\ufffd\ufffdX\ufffd\ufffd\ufffdy,[\ufffdq\ufffd\u000e\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0011Z< 8y\ufffd+\ufffd\u0016\\\u0015z\ufffd?\ufffd\ufffd\ufffd=>.}o\rZ\ufffdC\ufffd9\ufffd_D\ufffdp\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u07d6\u0012\ufffd A\f\ufffd\ufffdX\ufffd\ufffd\ufffdy,[\ufffdq\ufffd\u000e\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0011Z< 8y\ufffd+\ufffd\u0016\\\u0015z\ufffd?\ufffd\ufffd\ufffd=>.}o\rZ\ufffdC\ufffd9\ufffd_D\ufffdp\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdY=\ufffd\u0005^_\u0006\ufffd\ufffd&\u044ez\ufffd)\ufffd[\ufffd6\u001e\n\u0000\ufffd;\ufffd\u0006\ufffdO.", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u07d6\u0012\ufffd A\f\ufffd\ufffdX\ufffd\ufffd\ufffdy,[\ufffdq\ufffd\u000e\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0011Z< 8y\ufffd+\ufffd\u0016\\\u0015z\ufffd?\ufffd\ufffd\ufffd=>.}o\rZ\ufffdC\ufffd9\ufffd_D\ufffdp\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "04c44c2931fef7a082de3dad791df4b920e20cbf", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u07d6\u0012\ufffd A\f\ufffd\ufffdX\ufffd\ufffd\ufffdy,[\ufffdq\ufffd\u000e\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0011Z< 8y\ufffd+\ufffd\u0016\\\u0015z\ufffd?\ufffd\ufffd\ufffd=>.}o\rZ\ufffdC\ufffd9\ufffd_D\ufffdp\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\u07d6\ufffd A\ufffd\ufffdX\ufffd\ufffd\ufffdy,[\ufffdq\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ< 8y\ufffd+\ufffd\\z\ufffd?\ufffd\ufffd\ufffd=>.}o\rZ\ufffdC\ufffd9\ufffd_D\ufffdp\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u07d6\u0012\ufffd A\f\ufffd\ufffdX\ufffd\ufffd\ufffdy,[\ufffdq\ufffd\u000e\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0011Z< 8y\ufffd+\ufffd\u0016\\\u0015z\ufffd?\ufffd\ufffd\ufffd=>.}o\rZ\ufffdC\ufffd9\ufffd_D\ufffdp\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 7373, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:7373 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\u07d6\ufffd A\ufffd\ufffdX\ufffd\ufffd\ufffdy,[\ufffdq\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ< 8y\ufffd+\ufffd\\z\ufffd?\ufffd\ufffd\ufffd=>.}o\rZ\ufffdC\ufffd9\ufffd_D\ufffdp\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "7373 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }

35.198.18.110

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence