Renseignement sur les menaces

Brésil

35.198.38.231

FAI Google LLC Première vue 14/06/2026 16:15 UTC Dernière vue 14/06/2026 16:15 UTC Risque Élevé

Période analysée : 2026-05-18 → 2026-06-17

Activité suspecte — risque 55/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTP

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 75/100 Élevé

Première observation 14/06/2026 16:15 UTC

Dernière observation 14/06/2026 16:15 UTC

Événements (période) 606

MITRE ATT&CK principal T1499 473 occurrences

Activité suspecte — risque 55/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTP

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_flood » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 60 · 2 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 35.198.32.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 606 événements sur la période pour cette IP.

205.210.31.75 Sonde Memcached 17/06/2026 22:07 UTC
147.185.132.216 openvpn probe 17/06/2026 22:04 UTC
147.185.132.153 Scanner web 17/06/2026 22:00 UTC
147.185.132.90 Scanner web 17/06/2026 21:58 UTC
147.185.132.49 Scanner web 17/06/2026 21:53 UTC
205.210.31.73 Sonde port 4911/TCP 17/06/2026 21:51 UTC
198.235.24.229 Scanner web 17/06/2026 21:48 UTC
147.185.132.129 Scanner web 17/06/2026 21:47 UTC

Événements (filtres)

606

Première observation

14/06/2026 16:15 UTC

Dernière observation

14/06/2026 16:15 UTC

Dernière activité (filtres)

14/06/2026 16:15 UTC

Événements 7j

606

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Géolocalisation

Origine réseau déclarée

Brésil unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 8080 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

http flood · via HTTP:8080 · (tentative d'exploit) · → /sendgrid.yaml

Détails protocole

Méthode: GET
Chemin: /sendgrid.yaml
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Cri…

Aperçu payload

GET /sendgrid.yaml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebK

Port / service

8080 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 100 % — 2 tag(s) WAF

Technique MITRE

T1499

Persona capteur

mail.sensor-1.internal

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1499 Upstream Waf Score

Confiance

100%

Famille de menace

ddos

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

606 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

606 événement(s) — page 1/13

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /sendgrid_config.py	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid_config.py UA Opera/9.80 (X11; Linux i686) Presto/2.12.388 Version/12.16 Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid_config.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /sendgrid_config.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid_config.py HTTP/1.1` User-Agent Opera/9.80 (X11; Linux i686) Presto/2.12.388 Version/12.16 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid_config.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Opera/9.80 (X11; Linux i686) Presto/2.12.388 Version/12.16 Requête brute (extrait) GET /sendgrid_config.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Opera/9.80 (X11; Linux i686) Presto/2.12.388 Version/12.16 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "py", "http_ua_hash": "92bf09d6d5b04766787d6daa8754d6c469e16ccc", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "a8a91d2a8a844789d248ad7ec78ac7f9ab48d8a3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 196, "payload_entropy": 5.210666680921385, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "d58783dc3033237ad421d15a1dfc34b91ac80002", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9426bba269712bc8a4a40109a13e67eb", "payload_hash": "5a79e7f473e76319272afd4545b5e7e6", "path_pattern_hash": "5188a9e48f153fb145fe03b080df78ed" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.16\r", "method": "GET", "path": "\/sendgrid_config.py", "user_agent": "Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.16", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid_config.py HTTP\/1.1", "request_sample": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.16\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.16", "evidence": { "method": "GET", "path": "\/sendgrid_config.py", "user_agent": "Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.16", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid_config.py HTTP\/1.1", "request_sample": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.16\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.16", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "90f1922536d14ecba31bd2759081887ae922f5df", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid_config.py", "request_line": "GET \/sendgrid_config.py HTTP\/1.1", "http_user_agent": "Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.16", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.16", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid_config.py", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid_config.py", "request_line": "GET \/sendgrid_config.py HTTP\/1.1", "http_user_agent": "Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.16", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid_config.py", "evidence_snippet": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.16", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /config/sendgrid.py	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.py UA nook browser/1.0 Émulateur HTTP WAF 6 Recommandation Investiguer Tags 950468:nosqli-3 http_probe_config net_flood Cible HTTP GET /config/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /config/sendgrid.py Service HTTP Pourquoi cette classification : Tags WAF: nosqli-3 · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.py HTTP/1.1` User-Agent nook browser/1.0 Règles WAF nosqli-3 Payload (extrait) GET /config/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: nook browser/1.0 Accept-Charset: utf-8 Accept-Encoding: g Requête brute (extrait) GET /config/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: nook browser/1.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "bcec996a443156902e377763cc2c2e563d0ca98d", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "c39a8449a6e4f2889aa8a56e74d7dff99a1b9759", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 154, "payload_entropy": 5.0432151130882525, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 32, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "048a98bd09227fc700b06e5bb14034241ec4691c", "event_fingerprint": "c1103cc6ec6be9bcd87c441fc8b8a0ac45a46401", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "aef3d22325926045b875772126ee5a64", "payload_hash": "9c43f97723e06d51fcf64dd9c16ec279", "path_pattern_hash": "9abcee9f2bf7633ad04f7c379dbcfd85" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: nook browser\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "method": "GET", "path": "\/config\/sendgrid.py", "user_agent": "nook browser\/1.0", "waf_tags": [ "950468:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/config\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: nook browser\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: nook browser\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "evidence": { "method": "GET", "path": "\/config\/sendgrid.py", "user_agent": "nook browser\/1.0", "waf_tags": [ "950468:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/config\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: nook browser\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: nook browser\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0dd968eb0cdfeb0efba96e857ca80c55400aafdd", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.py", "request_line": "GET \/config\/sendgrid.py HTTP\/1.1", "http_user_agent": "nook browser\/1.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: nook browser\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.py", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.py", "request_line": "GET \/config\/sendgrid.py HTTP\/1.1", "http_user_agent": "nook browser\/1.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.py", "evidence_snippet": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: nook browser\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /email/sendgrid.py	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /email/sendgrid.py UA Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /email/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /email/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /email/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /email/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /email/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "fc8b8433cce0c19f01e84258538fa46cfdad863f", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "190af723c99988769325445339d91d711879f378", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.425164751543833, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c8d532fd571fd4bc57e235f2c7130d1700018c0e", "event_fingerprint": "05fc0d049e5d24498deceac75cd23278940375c1", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "82a3c6e74e689531cb1b5860b14916f6", "payload_hash": "7506509a08e2e8eb0f861e19bab58c67", "path_pattern_hash": "aa093fa1b6f985e5ed81b711d71d6186" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/email\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/email\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/email\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/email\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTM", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5d552c31ee4b49941f797226a2c67153a3e4e32b", "protocol_details": { "http_method": "GET", "http_path": "\/email\/sendgrid.py", "request_line": "GET \/email\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTM", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/email\/sendgrid.py", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/email\/sendgrid.py", "request_line": "GET \/email\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/email\/sendgrid.py", "evidence_snippet": "GET \/email\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTM", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /mail/sendgrid.py	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /mail/sendgrid.py UA Mozilla/5.0 (Linux; U; Android 7.0; es-es; Redmi Note 4 Build/N… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_mail Cible HTTP GET /mail/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /mail/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /mail/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 7.0; es-es; Redmi Note 4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/10.9.7-g Règles WAF rce-0 nosqli-3 Payload (extrait) GET /mail/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; U; Android 7.0; es-es; Redmi Note 4 Build Requête brute (extrait) GET /mail/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; U; Android 7.0; es-es; Redmi Note 4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/10.9.7- Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "e9d8160d0cb650d0f65eb3d1f6025fcc8064df16", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "4e4e30676a1660aa4bddd155759e5f2063e42ebb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 326, "payload_entropy": 5.457107039587183, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "a128defc55f7b6cdc253c4ac9437c3489d1e592d", "event_fingerprint": "0374569905df1813679d236fce5cf5d20cd08cab", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f3a1165ac670a82deb2260b1656eb39a", "payload_hash": "cac97b2b87330ce62c61916455891dd5", "path_pattern_hash": "b5e77b51819ded84d893a1ced6a06cf4" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; es-es; Redmi Note 4 Build", "method": "GET", "path": "\/mail\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; U; Android 7.0; es-es; Redmi Note 4 Build\/NRD90M) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.141 Mobile Safari\/537.36 XiaoMi\/MiuiBrowser\/10.9.7-g", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mail\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; es-es; Redmi Note 4 Build\/NRD90M) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.141 Mobile Safari\/537.36 XiaoMi\/MiuiBrowser\/10.9.7-", "payload_snippet": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; es-es; Redmi Note 4 Build", "evidence": { "method": "GET", "path": "\/mail\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; U; Android 7.0; es-es; Redmi Note 4 Build\/NRD90M) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.141 Mobile Safari\/537.36 XiaoMi\/MiuiBrowser\/10.9.7-g", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mail\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; es-es; Redmi Note 4 Build\/NRD90M) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.141 Mobile Safari\/537.36 XiaoMi\/MiuiBrowser\/10.9.7-", "payload_snippet": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; es-es; Redmi Note 4 Build", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cdd8d81a7d488b60925055abadfcefcb53308487", "protocol_details": { "http_method": "GET", "http_path": "\/mail\/sendgrid.py", "request_line": "GET \/mail\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 7.0; es-es; Redmi Note 4 Build\/NRD90M) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; es-es; Redmi Note 4 Build", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mail\/sendgrid.py", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/mail\/sendgrid.py", "request_line": "GET \/mail\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 7.0; es-es; Redmi Note 4 Build\/NRD90M) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mail\/sendgrid.py", "evidence_snippet": "GET \/mail\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; es-es; Redmi Note 4 Build", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_mail", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /backend/sendgrid.py	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /backend/sendgrid.py UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /backend/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /backend/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /backend/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /backend/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "f82f6bdde0703010485af715f69f70fb2457ffeb", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "9b3b3fd51ae018208ce4d96cbad2187f4475e746", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 244, "payload_entropy": 5.467017227053905, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c8d532fd571fd4bc57e235f2c7130d1700018c0e", "event_fingerprint": "827e851c0cb02565627711a40a8f7a25afcc91b0", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4636206c01ccd6ef8c951048fdec3e40", "payload_hash": "51d6e362c93c9bd17cd4bf9af124d028", "path_pattern_hash": "ecf29d1ed95b1fd215637cce0a9e7303" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/backend\/sendgrid.py", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/backend\/sendgrid.py", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "97f07e793d67302efee7d68d1e2fa4537f1702b5", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/sendgrid.py", "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/sendgrid.py", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/backend\/sendgrid.py", "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/sendgrid.py", "evidence_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /sendgrid.json	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.json UA Mozilla/5.0 (Windows NT 6.2; rv:19.0) Gecko/20121129 Firefox/19… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /sendgrid.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.2; rv:19.0) Gecko/20121129 Firefox/19.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:19.0) Gecko/20121129 Firefox/19. Requête brute (extrait) GET /sendgrid.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:19.0) Gecko/20121129 Firefox/19.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "767ad033256afe4823fe410df97e589a175b390c", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "334746630c59d3caca795d70405b3b173f74a90b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 198, "payload_entropy": 5.274947274973245, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "0c1d06a6336665e43b6f23dff1d6256d090ac4d5", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d392a2873c9acecccf7eabc65c2f2acb", "payload_hash": "1e8c7f190b229a466b8c5425a9a77a6d", "path_pattern_hash": "e6f5fbc298134f1524aeaece47705fce" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; rv:19.0) Gecko\/20121129 Firefox\/19.", "method": "GET", "path": "\/sendgrid.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.2; rv:19.0) Gecko\/20121129 Firefox\/19.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.json HTTP\/1.1", "request_sample": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; rv:19.0) Gecko\/20121129 Firefox\/19.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; rv:19.0) Gecko\/20121129 Firefox\/19.", "evidence": { "method": "GET", "path": "\/sendgrid.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.2; rv:19.0) Gecko\/20121129 Firefox\/19.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.json HTTP\/1.1", "request_sample": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; rv:19.0) Gecko\/20121129 Firefox\/19.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; rv:19.0) Gecko\/20121129 Firefox\/19.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0e819fe92bb448d815c030768275dfbe06f0a82b", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.json", "request_line": "GET \/sendgrid.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.2; rv:19.0) Gecko\/20121129 Firefox\/19.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; rv:19.0) Gecko\/20121129 Firefox\/19.", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.json", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.json", "request_line": "GET \/sendgrid.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.2; rv:19.0) Gecko\/20121129 Firefox\/19.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.json", "evidence_snippet": "GET \/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; rv:19.0) Gecko\/20121129 Firefox\/19.", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /mailer/sendgrid.py	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /mailer/sendgrid.py UA Mozilla/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit/537.3… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /mailer/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /mailer/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /mailer/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /mailer/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit/5 Requête brute (extrait) GET /mailer/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: c Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "29cd09ad15e8292a12de19e2d883268b52a39575", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "9b85ba3fc4ac4a1549d12be2ecef5722bb151f3a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 264, "payload_entropy": 5.447495997644398, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c8d532fd571fd4bc57e235f2c7130d1700018c0e", "event_fingerprint": "c360b5b757bc2601e2d9cbd78f6c94a04c831934", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c610a00222c614f93f082ea99d6fbecf", "payload_hash": "3d77699cdc4c400a7fcc6d513cacc76d", "path_pattern_hash": "8c4b21a7860b8f6d464d0085eb236a5b" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/5", "method": "GET", "path": "\/mailer\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/mailer\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/5", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c4a6f902247dace4ff02b23392491da4503882fc", "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.py", "request_line": "GET \/mailer\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/5", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.py", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.py", "request_line": "GET \/mailer\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.py", "evidence_snippet": "GET \/mailer\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/5", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /app/sendgrid.py	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /app/sendgrid.py UA Mozilla/5.0 (Linux; Android 9; SNE-LX1) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /app/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /app/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SNE-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; SNE-LX1) AppleWebKit/537.36 (KH Requête brute (extrait) GET /app/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; SNE-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "de260e9f780051f90abaf813863d2487a7d84ec5", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "a743b8206ca823c369ef5eb8bfeb21a48b56cf7e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.441801943657636, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c8d532fd571fd4bc57e235f2c7130d1700018c0e", "event_fingerprint": "91e1e146245e3a59c43c5eea98ff361e1b6c57e2", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bdcf33dd37c2af62f61ae68661368f0b", "payload_hash": "9540ce9cf1bedfa5ae74e35f77c3b579", "path_pattern_hash": "bbc1021582141e8e631079ccf6c69d4d" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SNE-LX1) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/app\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SNE-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SNE-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SNE-LX1) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/app\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SNE-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SNE-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SNE-LX1) AppleWebKit\/537.36 (KH", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6c8ef58f27da634e4ab1fa2c8802e0eb8957000d", "protocol_details": { "http_method": "GET", "http_path": "\/app\/sendgrid.py", "request_line": "GET \/app\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SNE-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SNE-LX1) AppleWebKit\/537.36 (KH", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/sendgrid.py", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/app\/sendgrid.py", "request_line": "GET \/app\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SNE-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/sendgrid.py", "evidence_snippet": "GET \/app\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SNE-LX1) AppleWebKit\/537.36 (KH", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /src/sendgrid.py	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /src/sendgrid.py UA Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.30-7.dmz.1-li… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /src/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /src/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /src/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.30-7.dmz.1-liquorix-686; X11) KHTML/3.5.10 (like Gecko) (Debian package 4:3.5.10.dfsg.1-1 b1) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /src/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.30-7.dmz.1-l Requête brute (extrait) GET /src/sendgrid.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.30-7.dmz.1-liquorix-686; X11) KHTML/3.5.10 (like Gecko) (Debian package 4:3.5.10.dfsg.1-1 b1) Accept-Charset: utf-8 Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "f9bfbfd652abfd8c3c1cc17a57bf687728c3787c", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "1199ec6af8250c9d336ec91a467a574f2ae011ba", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 278, "payload_entropy": 5.376250740180677, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c8d532fd571fd4bc57e235f2c7130d1700018c0e", "event_fingerprint": "5d244793ea65b129e94b5098569eec4c7034ac46", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c765fd161bc16448694950e44cb872e3", "payload_hash": "297debe167c24ed1702747a7c64f32f4", "path_pattern_hash": "1599bd71dd6b66802ca7702f410c4986" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/3.5; Linux 2.6.30-7.dmz.1-l", "method": "GET", "path": "\/src\/sendgrid.py", "user_agent": "Mozilla\/5.0 (compatible; Konqueror\/3.5; Linux 2.6.30-7.dmz.1-liquorix-686; X11) KHTML\/3.5.10 (like Gecko) (Debian package 4:3.5.10.dfsg.1-1 b1)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/src\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/3.5; Linux 2.6.30-7.dmz.1-liquorix-686; X11) KHTML\/3.5.10 (like Gecko) (Debian package 4:3.5.10.dfsg.1-1 b1)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r", "payload_snippet": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/3.5; Linux 2.6.30-7.dmz.1-l", "evidence": { "method": "GET", "path": "\/src\/sendgrid.py", "user_agent": "Mozilla\/5.0 (compatible; Konqueror\/3.5; Linux 2.6.30-7.dmz.1-liquorix-686; X11) KHTML\/3.5.10 (like Gecko) (Debian package 4:3.5.10.dfsg.1-1 b1)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/src\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/3.5; Linux 2.6.30-7.dmz.1-liquorix-686; X11) KHTML\/3.5.10 (like Gecko) (Debian package 4:3.5.10.dfsg.1-1 b1)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r", "payload_snippet": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/3.5; Linux 2.6.30-7.dmz.1-l", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4542358942d9e3155ce09bf1cf7c326f813f221b", "protocol_details": { "http_method": "GET", "http_path": "\/src\/sendgrid.py", "request_line": "GET \/src\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Konqueror\/3.5; Linux 2.6.30-7.dmz.1-liquorix-686; X11) KHTML\/3.5.10 (like Gecko) (Debian packa\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/3.5; Linux 2.6.30-7.dmz.1-l", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/sendgrid.py", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/src\/sendgrid.py", "request_line": "GET \/src\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Konqueror\/3.5; Linux 2.6.30-7.dmz.1-liquorix-686; X11) KHTML\/3.5.10 (like Gecko) (Debian packa\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/sendgrid.py", "evidence_snippet": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/3.5; Linux 2.6.30-7.dmz.1-l", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /config/sendgrid.json	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.json UA Mozilla/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit/537.36… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/sendgrid.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /config/sendgrid.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/sendgrid.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit/ Requête brute (extrait) GET /config/sendgrid.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "eb5f562431d2b2be668cefafcbd8068399b65a16", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "6c93d1b9fbdf8e8d128caa00a09f6faf39a40791", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 265, "payload_entropy": 5.391332940205862, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1dbf86afdf7bf40b22170135d0a0d69ef95ed72f", "event_fingerprint": "36010cef1413e10c9874a5b985027ab70fa2e2a9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c7f32e4fc5208b6f0c5240836ff4b8ef", "payload_hash": "34306894835c20eb98fed26e6db6ea7a", "path_pattern_hash": "b3c041376e66dccb94b76d7207504df9" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/", "method": "GET", "path": "\/config\/sendgrid.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/config\/sendgrid.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "55fadc92a44a57f4cfe01639d079c3dddf753945", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.json", "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.json", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.json", "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.json", "evidence_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /sendgrid.config.json	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.config.json UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /sendgrid.config.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.config.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.config.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 ( Requête brute (extrait) GET /sendgrid.config.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "22df29a4de1fd38c87dcec09e37f285d6da07f99", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "eeb189e33107611f717db38a6842e4ac40f53918", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.408634369155313, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "a3a624c7b9db823f20e122116ceee5d9e7caabf6", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3bf471692ec50211bc6c14c122424bcd", "payload_hash": "5e357a67963ee658e67f43313aa1ff88", "path_pattern_hash": "d03aef47d2b763bc56a13f3ba838e778" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (", "method": "GET", "path": "\/sendgrid.config.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "request_sample": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/sendgrid.config.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "request_sample": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "815b08482a6abe1a4446e64cc4323705ce0a07bc", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.config.json", "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.config.json", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.config.json", "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.config.json", "evidence_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /sendgrid-config.json	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid-config.json UA Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebK… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid-config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /sendgrid-config.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid-config.json HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 Safari/601.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid-config.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) App Requête brute (extrait) GET /sendgrid-config.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 Safari/601.1 Accept-Charset: utf-8 Accept-Encoding: gzip Conn Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "ef47592d2daeaaf7187343ce82c6f089a6772de6", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "7d5ebcf94187fd12c4375ea09c6c54bd408b8303", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 273, "payload_entropy": 5.37465992462218, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "1627acf9e4a8829586fd7afd8281bf0d7bf37e8f", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5c11371fdc0eab11747d42687f6483dc", "payload_hash": "3acbbea5cde1775d74f4c78e40ee8d5b", "path_pattern_hash": "170a7f6ff312a524729718105c471f02" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) App", "method": "GET", "path": "\/sendgrid-config.json", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit\/601.1.46 (KHTML, like Gecko) Version\/9.0 Mobile\/13B143 Safari\/601.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "request_sample": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit\/601.1.46 (KHTML, like Gecko) Version\/9.0 Mobile\/13B143 Safari\/601.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) App", "evidence": { "method": "GET", "path": "\/sendgrid-config.json", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit\/601.1.46 (KHTML, like Gecko) Version\/9.0 Mobile\/13B143 Safari\/601.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "request_sample": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit\/601.1.46 (KHTML, like Gecko) Version\/9.0 Mobile\/13B143 Safari\/601.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) App", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0d3563401c901f3c5814bfbc7830baad629d8c01", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid-config.json", "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit\/601.1.46 (KHTML, like Gecko) Version\/9.0 Mobile\/13B14\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) App", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid-config.json", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid-config.json", "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit\/601.1.46 (KHTML, like Gecko) Version\/9.0 Mobile\/13B14\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid-config.json", "evidence_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) App", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /sendgrid_helper.py	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid_helper.py UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid_helper.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /sendgrid_helper.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid_helper.py HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid_helper.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /sendgrid_helper.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "py", "http_ua_hash": "3d223265ba48595efd11ff58193bd7ad0c43df7c", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "772198c723c64c6ab2c19442e512e9b63957a609", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 243, "payload_entropy": 5.446067799691963, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "a0a519d08248d7e9922d8b6cf790501ebaf1b8e3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "67276cddfcf3839c4ed1b28eb9a0bc9e", "payload_hash": "0764565d7e459bd25ffc8bd80755624c", "path_pattern_hash": "f0a726c4ecbb7f24a7410bc2568f13fc" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/sendgrid_helper.py", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid_helper.py HTTP\/1.1", "request_sample": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/sendgrid_helper.py", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid_helper.py HTTP\/1.1", "request_sample": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f257cb85ed8bfa8c55c99bc5ff33c725532c76fc", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid_helper.py", "request_line": "GET \/sendgrid_helper.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid_helper.py", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid_helper.py", "request_line": "GET \/sendgrid_helper.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid_helper.py", "evidence_snippet": "GET \/sendgrid_helper.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /mailer/sendgrid.php	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /mailer/sendgrid.php UA Mozilla/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko/20100101 Firefo… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /mailer/sendgrid.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /mailer/sendgrid.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /mailer/sendgrid.php HTTP/1.1` User-Agent Mozilla/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko/20100101 Firefox/28.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /mailer/sendgrid.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko/20100101 F Requête brute (extrait) GET /mailer/sendgrid.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko/20100101 Firefox/28.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "621b4990ff1d4f4e4cf0ba6a4f1e956b813871fa", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "dae727d8f431c63a4890b644ed3bde6b8b286d4f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 208, "payload_entropy": 5.333772783102024, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c8d532fd571fd4bc57e235f2c7130d1700018c0e", "event_fingerprint": "a86fe05591dea586bd27f9600b7142f77661c175", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3c756e686f84c7a5e57079b77838c5e7", "payload_hash": "6b1d2406632925cd662d10a41e177e4d", "path_pattern_hash": "efcedb7b18ae8ea8d96de301e7bc027e" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko\/20100101 F", "method": "GET", "path": "\/mailer\/sendgrid.php", "user_agent": "Mozilla\/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko\/20100101 Firefox\/28.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.php HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko\/20100101 Firefox\/28.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko\/20100101 F", "evidence": { "method": "GET", "path": "\/mailer\/sendgrid.php", "user_agent": "Mozilla\/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko\/20100101 Firefox\/28.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.php HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko\/20100101 Firefox\/28.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko\/20100101 F", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "414ae5ffa66e5d177c783fac0daeed9692ce17af", "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.php", "request_line": "GET \/mailer\/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko\/20100101 Firefox\/28.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko\/20100101 F", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.php", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.php", "request_line": "GET \/mailer\/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko\/20100101 Firefox\/28.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.php", "evidence_snippet": "GET \/mailer\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko\/20100101 F", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /config/sendgrid.php	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.php UA Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us)… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/sendgrid.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /config/sendgrid.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.php HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5A347 Safari/525.200 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/sendgrid.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; e Requête brute (extrait) GET /config/sendgrid.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5A347 Safari/525.200 Accept-Charset: utf-8 Accept-Encoding Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "6d10ed516e2c23ca8f7bde0be44e14eb0b92730a", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "5a7c4db4e49228f435e7f3ef670fd7a77af86fbd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 285, "payload_entropy": 5.363040295093616, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1dbf86afdf7bf40b22170135d0a0d69ef95ed72f", "event_fingerprint": "6b58b9335decfef939549e8d3958c719ba81f80d", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7523c5d32d67d6334420581b77fccf10", "payload_hash": "19b58a10b59b0a0143df4b77f74215bb", "path_pattern_hash": "c0ea70e9176b91c1342a31c50481c975" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; e", "method": "GET", "path": "\/config\/sendgrid.php", "user_agent": "Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit\/525.18.1 (KHTML, like Gecko) Version\/3.1.1 Mobile\/5A347 Safari\/525.200", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.php HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit\/525.18.1 (KHTML, like Gecko) Version\/3.1.1 Mobile\/5A347 Safari\/525.200\r\nAccept-Charset: utf-8\r\nAccept-Encoding", "payload_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; e", "evidence": { "method": "GET", "path": "\/config\/sendgrid.php", "user_agent": "Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit\/525.18.1 (KHTML, like Gecko) Version\/3.1.1 Mobile\/5A347 Safari\/525.200", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.php HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit\/525.18.1 (KHTML, like Gecko) Version\/3.1.1 Mobile\/5A347 Safari\/525.200\r\nAccept-Charset: utf-8\r\nAccept-Encoding", "payload_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; e", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f5e2edc21589f1147dbd38b9f67771d6d7b90121", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.php", "request_line": "GET \/config\/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit\/525.18.1 (KHTML, like Gecko) Version\/3.1.1 \u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; e", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.php", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.php", "request_line": "GET \/config\/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit\/525.18.1 (KHTML, like Gecko) Version\/3.1.1 \u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.php", "evidence_snippet": "GET \/config\/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; e", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /mailer/sendgrid.js	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /mailer/sendgrid.js UA Mozilla/5.0 (X11; CrOS aarch64 12239.67.0) AppleWebKit/537.36 (… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /mailer/sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /mailer/sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /mailer/sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (X11; CrOS aarch64 12239.67.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.102 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /mailer/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; CrOS aarch64 12239.67.0) AppleWebKit/537. Requête brute (extrait) GET /mailer/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; CrOS aarch64 12239.67.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.102 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "3ef54880dbcaffd02c7a64a29e34df8d06aef1c5", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "f0266273bf48ddd4776744bfb636ed48db1f9a0e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.428983392050046, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c8d532fd571fd4bc57e235f2c7130d1700018c0e", "event_fingerprint": "709419bdc7128b867d7d1630920256e35eecbcf7", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "452a09b1cd507707120a6475076a6a1a", "payload_hash": "f0ec07a0c4a1b7f08626b90f40caa4c5", "path_pattern_hash": "6ecfd778a602d8c5515ae4f71e84d137" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS aarch64 12239.67.0) AppleWebKit\/537.", "method": "GET", "path": "\/mailer\/sendgrid.js", "user_agent": "Mozilla\/5.0 (X11; CrOS aarch64 12239.67.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.102 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS aarch64 12239.67.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.102 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS aarch64 12239.67.0) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/mailer\/sendgrid.js", "user_agent": "Mozilla\/5.0 (X11; CrOS aarch64 12239.67.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.102 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/mailer\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS aarch64 12239.67.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.102 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS aarch64 12239.67.0) AppleWebKit\/537.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e6d8aff839a14123583e23e780c0d00fd26535c7", "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.js", "request_line": "GET \/mailer\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS aarch64 12239.67.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.102 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS aarch64 12239.67.0) AppleWebKit\/537.", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.js", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/mailer\/sendgrid.js", "request_line": "GET \/mailer\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS aarch64 12239.67.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.102 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mailer\/sendgrid.js", "evidence_snippet": "GET \/mailer\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS aarch64 12239.67.0) AppleWebKit\/537.", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /config/sendgrid.yml	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.yml UA Mozilla/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod™_Version)… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/sendgrid.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /config/sendgrid.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod™_Version) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/sendgrid.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod™_V Requête brute (extrait) GET /config/sendgrid.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod™_Version) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "d1fe78cc4b2390aa57ab35fd24fafa28626a16ef", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "0bd9f817e7997b41e7d0b8b8dd114ee25267d094", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 285, "payload_entropy": 5.475905790248844, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1dbf86afdf7bf40b22170135d0a0d69ef95ed72f", "event_fingerprint": "4fddb871a9d9051309887acf0f97f613bf1a00ac", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "89118e8e7adfb61feb0c5082572d1e14", "payload_hash": "210ed5acb78ccc9b268402c8666a1126", "path_pattern_hash": "b33a5d11f328bd7713feb258f3d7e0c0" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_V", "method": "GET", "path": "\/config\/sendgrid.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.yml HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding", "payload_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_V", "evidence": { "method": "GET", "path": "\/config\/sendgrid.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.yml HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding", "payload_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_V", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "249133864afbe95ce565721d8a9a328843f8cfa2", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.yml", "request_line": "GET \/config\/sendgrid.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_V", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.yml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.yml", "request_line": "GET \/config\/sendgrid.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.yml", "evidence_snippet": "GET \/config\/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_V", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /sendgrid.php	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.php UA Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/535.22+ (KHTML, li… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /sendgrid.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.php HTTP/1.1` User-Agent Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/535.22+ (KHTML, like Gecko) Chromium/17.0.963.56 Chrome/17.0.963.56 Safari/535.22+ Epiphany/2.30.6 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/535.22+ (KHTML, like Requête brute (extrait) GET /sendgrid.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/535.22+ (KHTML, like Gecko) Chromium/17.0.963.56 Chrome/17.0.963.56 Safari/535.22+ Epiphany/2.30.6 Accept-Charset: utf-8 Accept-Encoding: gzip Co Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "209c2ce36146ce0ddeb4e569e2b2f8ad72ff89d8", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "aeebeac9e1ed0166b8b2a8b12207a52ac16be70d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 275, "payload_entropy": 5.472996731488201, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "388d77d52ed471187042aa3fc44157019faf1b51", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0de761fab0ee68fa3366661a024c54c4", "payload_hash": "c75aedaa5bfba4fc4396d04800a8e8fc", "path_pattern_hash": "1c628b1c6b42ab40202a01c40f9a976e" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/535.22+ (KHTML, like", "method": "GET", "path": "\/sendgrid.php", "user_agent": "Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/535.22+ (KHTML, like Gecko) Chromium\/17.0.963.56 Chrome\/17.0.963.56 Safari\/535.22+ Epiphany\/2.30.6", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.php HTTP\/1.1", "request_sample": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/535.22+ (KHTML, like Gecko) Chromium\/17.0.963.56 Chrome\/17.0.963.56 Safari\/535.22+ Epiphany\/2.30.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "payload_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/535.22+ (KHTML, like", "evidence": { "method": "GET", "path": "\/sendgrid.php", "user_agent": "Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/535.22+ (KHTML, like Gecko) Chromium\/17.0.963.56 Chrome\/17.0.963.56 Safari\/535.22+ Epiphany\/2.30.6", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.php HTTP\/1.1", "request_sample": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/535.22+ (KHTML, like Gecko) Chromium\/17.0.963.56 Chrome\/17.0.963.56 Safari\/535.22+ Epiphany\/2.30.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "payload_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/535.22+ (KHTML, like", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "988e5df8c1baa6f95ea6c4da2a1232f93608c620", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.php", "request_line": "GET \/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/535.22+ (KHTML, like Gecko) Chromium\/17.0.963.56 Chrome\/17.0.963.56 Safari\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/535.22+ (KHTML, like", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.php", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.php", "request_line": "GET \/sendgrid.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/535.22+ (KHTML, like Gecko) Chromium\/17.0.963.56 Chrome\/17.0.963.56 Safari\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.php", "evidence_snippet": "GET \/sendgrid.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/535.22+ (KHTML, like", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /sendgrid.py	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.py UA Mozilla/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit/5… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit/537. Requête brute (extrait) GET /sendgrid.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "py", "http_ua_hash": "daef42a21df445f94f682246a0f12c5c5ec788d7", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "0e3f38ff7e509e55407449d72c93d40ab0729e93", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.421348516145948, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "d0bab02c84d1bfdc2f4def13ea9293a8c1e3c58f", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c6b3619039704febe848287f0873e60d", "payload_hash": "684856cc052e9c338b7aeb53c753436a", "path_pattern_hash": "5599d311df7384f76edaf185f5d025e3" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.", "method": "GET", "path": "\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.py HTTP\/1.1", "request_sample": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.py HTTP\/1.1", "request_sample": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7381fda82a1729a7366dc7e4d6a67b4c97ea867c", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.py", "request_line": "GET \/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Mobile Sa\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.py", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.py", "request_line": "GET \/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Mobile Sa\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.py", "evidence_snippet": "GET \/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /sendgrid.yml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.yml UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /sendgrid.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /sendgrid.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "d57e0fd1435e96463eb497d2a56d284ee50a4b0c", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "fe30445de825aa0bffca483abd821a9f6a87533d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 241, "payload_entropy": 5.410068857635422, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "f87a7c6599d3320e73ca43dd1bfffdc491f40f73", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "914e46305c5a0f973127b22e4ba1e223", "payload_hash": "82dac7261b85f59c95fb961a4c7f4200", "path_pattern_hash": "7777bc3cc4ee53dc76c001dce4e79fd5" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/sendgrid.yml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yml HTTP\/1.1", "request_sample": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/sendgrid.yml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yml HTTP\/1.1", "request_sample": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c0fd91a18f218b115280c5a96b927fb1049e4a7e", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yml", "request_line": "GET \/sendgrid.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yml", "request_line": "GET \/sendgrid.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yml", "evidence_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:19 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /sendgrid.yaml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.yaml UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWeb… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /sendgrid.yaml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.yaml HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.yaml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebK Requête brute (extrait) GET /sendgrid.yaml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1 Accept-Charset: utf-8 Accept-Encoding: gzip Con Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "4111832ebe3597af454ce590f312702dd158237e", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "6ddb9259a81c5943f174c8762a08f320950440bd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 274, "payload_entropy": 5.408191925754984, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "65683a306402ebf24168557eec3d4a5d79283316", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "fce8b2c5fa067b854db8ca48c513daa0", "payload_hash": "4e2ba358fe5d86686be31c7cb4963523", "path_pattern_hash": "586d42da805584afffe4b06de4328fe7" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebK", "method": "GET", "path": "\/sendgrid.yaml", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "request_sample": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebK", "evidence": { "method": "GET", "path": "\/sendgrid.yaml", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "request_sample": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebK", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4b49c079db3ef27967fbca612e615e5e66f773c0", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yaml", "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobi\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebK", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yaml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yaml", "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobi\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yaml", "evidence_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebK", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /src/sendgrid.js	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /src/sendgrid.js UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /src/sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /src/sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /src/sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /src/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (K Requête brute (extrait) GET /src/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "3fb648f5c2ebf83230d15494859955478296821e", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "a3238471d1a50dc88710b61abe1ecef20adb8ca4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.409058457283255, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c8d532fd571fd4bc57e235f2c7130d1700018c0e", "event_fingerprint": "f639721ff084ce0debbc30548f4e16e930971f88", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "50b0f1510e9360a8c222bf441f5ebf43", "payload_hash": "49e721a71917a7fa67519581f2779c34", "path_pattern_hash": "e36285cd7734c4bd56f4ea4e4d82c8ca" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/src\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/src\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/src\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/src\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cde00cc2f321108de4c6bd14014415d42cf62f6e", "protocol_details": { "http_method": "GET", "http_path": "\/src\/sendgrid.js", "request_line": "GET \/src\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/sendgrid.js", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/src\/sendgrid.js", "request_line": "GET \/src\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/sendgrid.js", "evidence_snippet": "GET \/src\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /public/js/sendgrid.js	Élevée	Élevé · 69
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /public/js/sendgrid.js UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /public/js/sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /public/js/sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Élevé · 69 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /public/js/sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /public/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /public/js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "9a89dda9fa23de8e7b4fe7caa64fca4b59e86421", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "3d8d45d4780341cf69b3566ae14a0edf2136ab23", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.455986896051729, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 69, "tag_count": 5, "anomaly_count": 0, "campaign_key": "8bea2bc37bf051a89ffe517b35fd6c07797996e3", "event_fingerprint": "3025d74944370116f14f92ee99dd0cd507429e7e", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 69 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "003ca088bf8ea1caa86a10d8157d5043", "payload_hash": "eb392fd3718cb9d9a4167aebaba00127", "path_pattern_hash": "f58945cff6efd1a814c6e2366d5811fb" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 69 }, "payload_preview": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/public\/js\/sendgrid.js", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.117 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/public\/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.117 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/public\/js\/sendgrid.js", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.117 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/public\/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.117 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "79c59465854cd270a275700d3724b319ddc5087c", "protocol_details": { "http_method": "GET", "http_path": "\/public\/js\/sendgrid.js", "request_line": "GET \/public\/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.117 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/public\/js\/sendgrid.js", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 69 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 69, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/public\/js\/sendgrid.js", "request_line": "GET \/public\/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.117 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/public\/js\/sendgrid.js", "evidence_snippet": "GET \/public\/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /.pypirc	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /.pypirc UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /.pypirc TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /.pypirc Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.pypirc HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.145 Safari/537.36 Vivaldi/2.6.1566.49 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.pypirc HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Requête brute (extrait) GET /.pypirc HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.145 Safari/537.36 Vivaldi/2.6.1566.49 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "pypirc", "http_ua_hash": "8272d09c2b221730716e55553ca532958be366dc", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "4f379f0493c77f8c140c8f093ef7d07d4d18769b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.468593660752303, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "119a732561f80053094f0fc7ed99363a84418659", "event_fingerprint": "24b92d2268dbedb3e13699a9b4e8538408056d39", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c541e185e522bf62f7aeac311e21a79c", "payload_hash": "1f77c1a4adeae015b1e453f990c3feb7", "path_pattern_hash": "f4c8c175cb2aad95cfdfc95e8249602c" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko)", "method": "GET", "path": "\/.pypirc", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.36 Vivaldi\/2.6.1566.49", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.pypirc HTTP\/1.1", "request_sample": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.36 Vivaldi\/2.6.1566.49\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko)", "evidence": { "method": "GET", "path": "\/.pypirc", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.36 Vivaldi\/2.6.1566.49", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.pypirc HTTP\/1.1", "request_sample": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.36 Vivaldi\/2.6.1566.49\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko)", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "62f20ca6b36843cf92c12f1b829b78a51bc8b3c2", "protocol_details": { "http_method": "GET", "http_path": "\/.pypirc", "request_line": "GET \/.pypirc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.36 Vivaldi\/2.6.1\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko)", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.pypirc", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.pypirc", "request_line": "GET \/.pypirc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.36 Vivaldi\/2.6.1\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.pypirc", "evidence_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /.npmrc	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /.npmrc UA Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Ge… Émulateur HTTP WAF 6 Recommandation Investiguer Tags 950470:nosqli-3 net_flood Cible HTTP GET /.npmrc TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /.npmrc Service HTTP Pourquoi cette classification : Tags WAF: nosqli-3 · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred NPM credentials Ligne de requête `GET /.npmrc HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) baidu.sogo.uc.Chrome/36.0.1985.125 Safari/537.36 Règles WAF nosqli-3 Payload (extrait) GET /.npmrc HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) bai Requête brute (extrait) GET /.npmrc HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) baidu.sogo.uc.Chrome/36.0.1985.125 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "npmrc", "http_ua_hash": "3631e44fcff0a9bb51648feb6c3bc8b25b47bc1d", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "e47e720fc12387d6362d15cf56ef7f004f4a216f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 242, "payload_entropy": 5.3710775349200555, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 32, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 2, "anomaly_count": 0, "campaign_key": "aa3f7c0a8245252420ce58e9f1a51aa2cff06e52", "event_fingerprint": "d919e8cce2e5e01ab5f5208671ef2351bf63c8a6", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0481" ], "matched_pattern_names": [ "Cred NPM credentials" ], "pattern_ids": [ "pat-0481" ], "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ed7b71d4e5b0e277368163929280adf3", "payload_hash": "147ce5037c9b43ffab0f22243ac8f243", "path_pattern_hash": "7643d037b83b1eb932659ed1ccb7e4fe" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) bai", "method": "GET", "path": "\/.npmrc", "user_agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) baidu.sogo.uc.Chrome\/36.0.1985.125 Safari\/537.36", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/.npmrc HTTP\/1.1", "request_sample": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) baidu.sogo.uc.Chrome\/36.0.1985.125 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) bai", "evidence": { "method": "GET", "path": "\/.npmrc", "user_agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) baidu.sogo.uc.Chrome\/36.0.1985.125 Safari\/537.36", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/.npmrc HTTP\/1.1", "request_sample": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) baidu.sogo.uc.Chrome\/36.0.1985.125 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) bai", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "90adaef0c174ddba0f3037ed960d2c6b88ad7cbe", "protocol_details": { "http_method": "GET", "http_path": "\/.npmrc", "request_line": "GET \/.npmrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) baidu.sogo.uc.Chrome\/36.0.1985.125 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) bai", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.npmrc", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.npmrc", "request_line": "GET \/.npmrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) baidu.sogo.uc.Chrome\/36.0.1985.125 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.npmrc", "evidence_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) bai", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /js/sendgrid.js	Élevée	Élevé · 69
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /js/sendgrid.js UA Mozilla/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit/537.36… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /js/sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /js/sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Élevé · 69 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /js/sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit/537.36 Requête brute (extrait) GET /js/sendgrid.js HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.90 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "ebc73af3add799930ae225046d32f774512e7d41", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "7114249614c60cac92b11c965ba88c076eabbbd2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.413621789557182, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 69, "tag_count": 5, "anomaly_count": 0, "campaign_key": "8bea2bc37bf051a89ffe517b35fd6c07797996e3", "event_fingerprint": "640eb7eff68f30c7dbb3a2e520248b0ba9158716", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 69 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f175d57f2470206520eeed314e839c11", "payload_hash": "6bd339f1b8998d5054fe48a32668c12d", "path_pattern_hash": "e872e36d7b0986feefb905fe01ffcd7c" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 69 }, "payload_preview": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36", "method": "GET", "path": "\/js\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/js\/sendgrid.js", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/js\/sendgrid.js HTTP\/1.1", "request_sample": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "218cded68bfcb8160b9ed7cdb7b92e71c64965f5", "protocol_details": { "http_method": "GET", "http_path": "\/js\/sendgrid.js", "request_line": "GET \/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/5\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/sendgrid.js", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 69 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 69, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/js\/sendgrid.js", "request_line": "GET \/js\/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.90 Mobile Safari\/5\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/sendgrid.js", "evidence_snippet": "GET \/js\/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; SM-N910C) AppleWebKit\/537.36", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → Z>BLKUގpA6	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole \?v Z>BLKUގpA6 JA3 19e29534fd49dd27 Émulateur HTTP WAF 7 Recommandation Investiguer Tags 950324:rce-0 http_no_ua net_flood net_slowloris Cible HTTP \?v Z>BLKUގpA6 TLS SNI — Capteur paris-1
Preuve / Evidence Méthode \?v Port 8080 Chemin / cible Z>BLKUގpA6 Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ Ligne de requête `\?V Z>BLKUގpA6 HTTP/1.1` User-Agent — Règles WAF rce-0 Payload (extrait) ��\��?�v��Z�>�BLKUގ�pA��6�� d?��M;�ΜK��h7��'��ns!&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��\��?�v��Z�>�BLKUގ�pA��6�� d?��M;�ΜK��h7��'��ns!&�+�/�,�0̨̩� �� /5� w �+3&$ H[o���v��N��~7p�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 0, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "c6805e2ad06f3118047d508c1c718273703c0174", "http_referer_hash": null, "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\\?v", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 239, "payload_entropy": 5.867433518811639, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 36, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 36, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8c993e38cf9944e5164ebf8c9f1d28f9a45f2543", "event_fingerprint": "e2e17d77916b2915e7ebd94a3332ecb83362f1cc", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 36, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3aaa2b70047547b2a8c4da1550d9cbdc", "path_pattern_hash": "992f6f1c8d08d4156320b460da053bec", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\\?v", "path": "Z>BLKU\u078epA6\u0015", "waf_tags": [ "950324:rce-0" ], "waf_rule_names": [ "rce-0" ], "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\\?V Z>BLKU\u078epA6\u0015 HTTP\/1.1", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\\\ufffd\ufffd\ufffd\ufffd?\ufffdv\ufffd\u001f\ufffdZ\ufffd>\ufffdBLKU\u078e\ufffdpA\ufffd\ufffd6\u0015\ufffd\ufffd \ufffdd?\ufffd\ufffdM;\ufffd\u039cK\u0012\ufffd\ufffd\ufffd\ufffd\ufffdh7\u001e\ufffd\ufffd\ufffd\u0018\ufffd'\ufffd\ufffd\ufffdns!\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\\?v", "path": "Z>BLKU\u078epA6\u0015", "waf_tags": [ "950324:rce-0" ], "waf_rule_names": [ "rce-0" ], "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\\?V Z>BLKU\u078epA6\u0015 HTTP\/1.1", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\\\ufffd\ufffd\ufffd\ufffd?\ufffdv\ufffd\u001f\ufffdZ\ufffd>\ufffdBLKU\u078e\ufffdpA\ufffd\ufffd6\u0015\ufffd\ufffd \ufffdd?\ufffd\ufffdM;\ufffd\u039cK\u0012\ufffd\ufffd\ufffd\ufffd\ufffdh7\u001e\ufffd\ufffd\ufffd\u0018\ufffd'\ufffd\ufffd\ufffdns!\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0003H\u0013\u0011[\u0007o\ufffd\ueea5\ufffd\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffdN\ufffd\ufffd\u000e\ufffd~7p\ufffd\ufffd\u001c\u0016\u0005", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\\\ufffd\ufffd\ufffd\ufffd?\ufffdv\ufffd\u001f\ufffdZ\ufffd>\ufffdBLKU\u078e\ufffdpA\ufffd\ufffd6\u0015\ufffd\ufffd \ufffdd?\ufffd\ufffdM;\ufffd\u039cK\u0012\ufffd\ufffd\ufffd\ufffd\ufffdh7\u001e\ufffd\ufffd\ufffd\u0018\ufffd'\ufffd\ufffd\ufffdns!\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "14b54e62c1ec883436ffb3beb47198e9c760a7a5", "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\\?v", "http_path": "Z>BLKU\u078epA6\u0015", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\\?V Z>BLKU\u078epA6\u0015 HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "\ufffd\ufffd\ufffd\\\ufffd\ufffd\ufffd\ufffd?\ufffdv\ufffd\ufffdZ\ufffd>\ufffdBLKU\u078e\ufffdpA\ufffd\ufffd6\ufffd\ufffd \ufffdd?\ufffd\ufffdM;\ufffd\u039cK\ufffd\ufffd\ufffd\ufffd\ufffdh7\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffd\ufffdns!&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 Z>BLKU\u078epA6\u0015", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 36, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\\?v", "http_path": "Z>BLKU\u078epA6\u0015", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\\?V Z>BLKU\u078epA6\u0015 HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 Z>BLKU\u078epA6\u0015", "evidence_snippet": "\ufffd\ufffd\ufffd\\\ufffd\ufffd\ufffd\ufffd?\ufffdv\ufffd\ufffdZ\ufffd>\ufffdBLKU\u078e\ufffdpA\ufffd\ufffd6\ufffd\ufffd \ufffdd?\ufffd\ufffdM;\ufffd\u039cK\ufffd\ufffd\ufffd\ufffd\ufffdh7\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffd\ufffdns!&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 36 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950324:rce-0", "http_no_ua", "net_flood", "net_slowloris" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /META-INF/context.xml	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /META-INF/context.xml UA Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build/IML74K)… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /META-INF/context.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /META-INF/context.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /META-INF/context.xml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build/IML74K) AppleWebKit/535.19 (KHTML, like Gecko) Silk/2.1 Mobile Safari/535.19 Silk-Accelerated=true Règles WAF rce-0 nosqli-3 Payload (extrait) GET /META-INF/context.xml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build/I Requête brute (extrait) GET /META-INF/context.xml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build/IML74K) AppleWebKit/535.19 (KHTML, like Gecko) Silk/2.1 Mobile Safari/535.19 Silk-Accelerated=true Accept-Charset: utf-8 Accept Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "2823fb091bc51afa38cb669957969972e70e4285", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "3986bf7cda9cc4c51e53512817fc8584b30172b0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 294, "payload_entropy": 5.460389773771018, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c8d532fd571fd4bc57e235f2c7130d1700018c0e", "event_fingerprint": "e62a1148fa74ad0d01b521b95ca897cccd279355", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c071d480eca0f72986e1a9acae4c6091", "payload_hash": "99963f6cf04aab413271e04d6d5ed35a", "path_pattern_hash": "30f764f600e5073ae934f34b2b98acc2" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/I", "method": "GET", "path": "\/META-INF\/context.xml", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/IML74K) AppleWebKit\/535.19 (KHTML, like Gecko) Silk\/2.1 Mobile Safari\/535.19 Silk-Accelerated=true", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/META-INF\/context.xml HTTP\/1.1", "request_sample": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/IML74K) AppleWebKit\/535.19 (KHTML, like Gecko) Silk\/2.1 Mobile Safari\/535.19 Silk-Accelerated=true\r\nAccept-Charset: utf-8\r\nAccept", "payload_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/I", "evidence": { "method": "GET", "path": "\/META-INF\/context.xml", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/IML74K) AppleWebKit\/535.19 (KHTML, like Gecko) Silk\/2.1 Mobile Safari\/535.19 Silk-Accelerated=true", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/META-INF\/context.xml HTTP\/1.1", "request_sample": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/IML74K) AppleWebKit\/535.19 (KHTML, like Gecko) Silk\/2.1 Mobile Safari\/535.19 Silk-Accelerated=true\r\nAccept-Charset: utf-8\r\nAccept", "payload_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/I", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e0fb2ef4e6ae2a9645b703f97744d2afe96d9f5", "protocol_details": { "http_method": "GET", "http_path": "\/META-INF\/context.xml", "request_line": "GET \/META-INF\/context.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/IML74K) AppleWebKit\/535.19 (KHTML, like Gecko) Silk\/2.1 Mobile \u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/I", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/META-INF\/context.xml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/META-INF\/context.xml", "request_line": "GET \/META-INF\/context.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/IML74K) AppleWebKit\/535.19 (KHTML, like Gecko) Silk\/2.1 Mobile \u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/META-INF\/context.xml", "evidence_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/I", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → Sc	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole W' Sc JA3 19e29534fd49dd27 Émulateur HTTP WAF 0 Recommandation Investiguer Tags http_no_ua net_flood net_slowloris Cible HTTP W' Sc TLS SNI — Capteur paris-1
Preuve / Evidence Méthode W' Port 8080 Chemin / cible Sc Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ Ligne de requête `W' Sc HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) ��W'�S��c ��Ѐ�u��@��! ��z��tO�.�Pk�&D��A�ŉ�f&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��W' �S��c ��Ѐ�u��@��! ��z��tO�.�Pk�&D��A�ŉ�f&�+�/�,�0̨̩� �� /5� w �+3&$ ��Ŀ�%��(�"Ǻ $�2]�o[�w��: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 0, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "9552773249da4fe207e8bf1ff0fb9fd855f56a8c", "http_referer_hash": null, "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003W'", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 239, "payload_entropy": 5.859658244544173, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5f9217dc41d7e020be5cfe6a650da409c7f9f55c", "event_fingerprint": "2415ebdd6862592f4ee362cdc58a3df1dcf6158b", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4b35dfe30aa18a1341b0f37d96d248c1", "path_pattern_hash": "e0b9a8799f32453a478c9122f8b83cee", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003W'", "path": "Sc", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003W' Sc HTTP\/1.1", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdW'\f\ufffdS\ufffd\ufffdc \ufffd\ufffd\ufffd\u0400\ufffdu\ufffd\ufffd\ufffd\ufffd\u0007\ufffd@\ufffd\ufffd\ufffd! \ufffd\u0011\u0019\ufffd\u0015z\ufffd\ufffd\ufffd\ufffd\u000ftO\ufffd.\ufffdP\u0007k\ufffd&D\ufffd\ufffdA\u000f\ufffd\u0149\ufffdf\u0003\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003W'", "path": "Sc", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003W' Sc HTTP\/1.1", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdW'\f\ufffdS\ufffd\ufffdc \ufffd\ufffd\ufffd\u0400\ufffdu\ufffd\ufffd\ufffd\ufffd\u0007\ufffd@\ufffd\ufffd\ufffd! \ufffd\u0011\u0019\ufffd\u0015z\ufffd\ufffd\ufffd\ufffd\u000ftO\ufffd.\ufffdP\u0007k\ufffd&D\ufffd\ufffdA\u000f\ufffd\u0149\ufffdf\u0003\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\u0012\u013f\ufffd%\u0016\u001d\ufffd\ufffd\u0005(\ufffd\"\u01fa\n$\ufffd2]\u001f\ufffdo[\ufffdw\ufffd\u0005\ufffd:", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdW'\f\ufffdS\ufffd\ufffdc \ufffd\ufffd\ufffd\u0400\ufffdu\ufffd\ufffd\ufffd\ufffd\u0007\ufffd@\ufffd\ufffd\ufffd! \ufffd\u0011\u0019\ufffd\u0015z\ufffd\ufffd\ufffd\ufffd\u000ftO\ufffd.\ufffdP\u0007k\ufffd&D\ufffd\ufffdA\u000f\ufffd\u0149\ufffdf\u0003\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8da09140a183c27cd18767d3018c0e7aba26d974", "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003W'", "http_path": "Sc", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003W' Sc HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW'\ufffdS\ufffd\ufffdc \ufffd\ufffd\ufffd\u0400\ufffdu\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd! \ufffd\ufffdz\ufffd\ufffd\ufffd\ufffdtO\ufffd.\ufffdPk\ufffd&D\ufffd\ufffdA\ufffd\u0149\ufffdf&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 Sc", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003W'", "http_path": "Sc", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003W' Sc HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 Sc", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW'\ufffdS\ufffd\ufffdc \ufffd\ufffd\ufffd\u0400\ufffdu\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd! \ufffd\ufffdz\ufffd\ufffd\ufffd\ufffdtO\ufffd.\ufffdPk\ufffd&D\ufffd\ufffdA\ufffd\u0149\ufffdf&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_no_ua", "net_flood", "net_slowloris" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /.idea/workspace.xml	Élevée	Élevé · 69
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /.idea/workspace.xml UA facebookscraper/1.0( http://www.facebook.com/sharescraper_help.… Émulateur HTTP WAF 26 Recommandation Investiguer Tags 950310:lfi-12 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /.idea/workspace.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /.idea/workspace.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Élevé · 69 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Probe /.idea/ Ligne de requête `GET /.idea/workspace.xml HTTP/1.1` User-Agent facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php) Règles WAF lfi-12 ssrf-3 nosqli-3 Payload (extrait) GET /.idea/workspace.xml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: facebookscraper/1.0( http://www.facebook.com/sharescraper_ Requête brute (extrait) GET /.idea/workspace.xml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "8c9328e594e83f80912931f16b47be818232a210", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "dcd10abd9e64a56ef60f2096a44fceab68d89da5", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 206, "payload_entropy": 5.122179892224247, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 69, "tag_count": 5, "anomaly_count": 0, "campaign_key": "0100076197937a47f519c7886d9a29850dde7077", "event_fingerprint": "b31942bce67ed1340deeefde9a018534e70965d0", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0103", "pat-0226" ], "matched_pattern_names": [ "LFI Double-dot bypass", "Probe \/.idea\/" ], "pattern_ids": [ "pat-0103", "pat-0226" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 69 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2c66975df649b3052f4a1822d8bf526", "payload_hash": "bdb0ef9c89129786cf210467d2c96ca9", "path_pattern_hash": "5704ec26c04e317ce2b2911c876a5465" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 69 }, "payload_preview": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: facebookscraper\/1.0( http:\/\/www.facebook.com\/sharescraper_", "method": "GET", "path": "\/.idea\/workspace.xml", "user_agent": "facebookscraper\/1.0( http:\/\/www.facebook.com\/sharescraper_help.php)", "waf_tags": [ "950310:lfi-12", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-12", "ssrf-3", "nosqli-3" ], "request_line": "GET \/.idea\/workspace.xml HTTP\/1.1", "request_sample": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: facebookscraper\/1.0( http:\/\/www.facebook.com\/sharescraper_help.php)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: facebookscraper\/1.0( http:\/\/www.facebook.com\/sharescraper_", "evidence": { "method": "GET", "path": "\/.idea\/workspace.xml", "user_agent": "facebookscraper\/1.0( http:\/\/www.facebook.com\/sharescraper_help.php)", "waf_tags": [ "950310:lfi-12", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-12", "ssrf-3", "nosqli-3" ], "request_line": "GET \/.idea\/workspace.xml HTTP\/1.1", "request_sample": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: facebookscraper\/1.0( http:\/\/www.facebook.com\/sharescraper_help.php)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: facebookscraper\/1.0( http:\/\/www.facebook.com\/sharescraper_", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "60f698c82ea8d3c130a4b0c826b89d2dbd02e1e4", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/workspace.xml", "request_line": "GET \/.idea\/workspace.xml HTTP\/1.1", "http_user_agent": "facebookscraper\/1.0( http:\/\/www.facebook.com\/sharescraper_help.php)", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: facebookscraper\/1.0( http:\/\/www.facebook.com\/sharescraper_", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/workspace.xml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 69 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 69, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/workspace.xml", "request_line": "GET \/.idea\/workspace.xml HTTP\/1.1", "http_user_agent": "facebookscraper\/1.0( http:\/\/www.facebook.com\/sharescraper_help.php)", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/workspace.xml", "evidence_snippet": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: facebookscraper\/1.0( http:\/\/www.facebook.com\/sharescraper_", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950310:lfi-12", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → IYUEr-+	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole B"ϙ IYUEr-+ JA3 19e29534fd49dd27 Émulateur HTTP WAF 0 Recommandation Investiguer Tags http_no_ua net_flood net_slowloris Cible HTTP B"ϙ IYUEr-+ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode B"ϙ Port 8080 Chemin / cible IYUEr-+ Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ Ligne de requête `B"Ϙ IYUEr-+ HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) ��B"��ϙ��I��Y��U�Er-��+ ̀0��e�d�Bg�F�E��Rh̳��Q��s &�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��B"��ϙ��I��Y��U�Er-��+ ̀0��e�d�Bg�F�E��Rh̳��Q��s &�+�/�,�0̨̩� �� /5� w �+3&$ ��0v�tmHÙ��2��Eau^4+ ��r\� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 0, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "2944a0bbbdd48f539703450d945c4e382c8d31a7", "http_referer_hash": null, "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003B\"\u03d9", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 239, "payload_entropy": 5.8833225045422335, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5f9217dc41d7e020be5cfe6a650da409c7f9f55c", "event_fingerprint": "8b7d471ffa14d3f5e426eea3573f9464cbea18c3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8a93e2f451395eb747fde424f2dbbcb0", "path_pattern_hash": "88c7913b45d898eb633299f806f05ac3", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003B\"\u03d9", "path": "\u0018I\u000e\u0014YUEr-+", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003B\"\u03d8 \u0018I\u000e\u0014YUEr-+ HTTP\/1.1", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdB\"\ufffd\ufffd\u03d9\u001c\u0018\ufffd\ufffdI\ufffd\u000e\ufffd\u0014\ufffdY\ufffd\ufffd\ufffdU\ufffdEr-\ufffd\ufffd+ \u03000\ufffd\ufffde\ufffdd\u0011\ufffdBg\ufffdF\ufffdE\ufffd\ufffdRh\u0333\ufffd\ufffd\ufffd\ufffd\u0013Q\ufffd\ufffds\t\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003B\"\u03d9", "path": "\u0018I\u000e\u0014YUEr-+", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003B\"\u03d8 \u0018I\u000e\u0014YUEr-+ HTTP\/1.1", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdB\"\ufffd\ufffd\u03d9\u001c\u0018\ufffd\ufffdI\ufffd\u000e\ufffd\u0014\ufffdY\ufffd\ufffd\ufffdU\ufffdEr-\ufffd\ufffd+ \u03000\ufffd\ufffde\ufffdd\u0011\ufffdBg\ufffdF\ufffdE\ufffd\ufffdRh\u0333\ufffd\ufffd\ufffd\ufffd\u0013Q\ufffd\ufffds\t\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd0v\ufffdtmH\u00d9\ufffd\ufffd2\ufffd\ufffdEau^4+\u000b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdr\\\ufffd\u0010", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdB\"\ufffd\ufffd\u03d9\u001c\u0018\ufffd\ufffdI\ufffd\u000e\ufffd\u0014\ufffdY\ufffd\ufffd\ufffdU\ufffdEr-\ufffd\ufffd+ \u03000\ufffd\ufffde\ufffdd\u0011\ufffdBg\ufffdF\ufffdE\ufffd\ufffdRh\u0333\ufffd\ufffd\ufffd\ufffd\u0013Q\ufffd\ufffds\t\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "debc49c3b622e379a03e0a3898aa03af8522e63f", "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003B\"\u03d9", "http_path": "\u0018I\u000e\u0014YUEr-+", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003B\"\u03d8 \u0018I\u000e\u0014YUEr-+ HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdB\"\ufffd\ufffd\u03d9\ufffd\ufffdI\ufffd\ufffd\ufffdY\ufffd\ufffd\ufffdU\ufffdEr-\ufffd\ufffd+ \u03000\ufffd\ufffde\ufffdd\ufffdBg\ufffdF\ufffdE\ufffd\ufffdRh\u0333\ufffd\ufffd\ufffd\ufffdQ\ufffd\ufffds\t&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \u0018I\u000e\u0014YUEr-+", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003B\"\u03d9", "http_path": "\u0018I\u000e\u0014YUEr-+", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003B\"\u03d8 \u0018I\u000e\u0014YUEr-+ HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \u0018I\u000e\u0014YUEr-+", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdB\"\ufffd\ufffd\u03d9\ufffd\ufffdI\ufffd\ufffd\ufffdY\ufffd\ufffd\ufffdU\ufffdEr-\ufffd\ufffd+ \u03000\ufffd\ufffde\ufffdd\ufffdBg\ufffdF\ufffdE\ufffd\ufffdRh\u0333\ufffd\ufffd\ufffd\ufffdQ\ufffd\ufffds\t&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_no_ua", "net_flood", "net_slowloris" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /.idea/dataSources.local.xml	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /.idea/dataSources.local.xml UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.idea/dataSources.local.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /.idea/dataSources.local.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.idea/ Ligne de requête `GET /.idea/dataSources.local.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.idea/dataSources.local.xml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebK Requête brute (extrait) GET /.idea/dataSources.local.xml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "3fb648f5c2ebf83230d15494859955478296821e", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "69f35c14ff491b04a05fe95ac539edbead309c12", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.400659638901887, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c8d532fd571fd4bc57e235f2c7130d1700018c0e", "event_fingerprint": "bebc26a2a0c7305df23cb87d60d63a559b7a2bd1", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0226" ], "matched_pattern_names": [ "Probe \/.idea\/" ], "pattern_ids": [ "pat-0226" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "50b0f1510e9360a8c222bf441f5ebf43", "payload_hash": "91626c93bdc0a0a5b4969f7743a7d636", "path_pattern_hash": "921ea8e3058ced1425d3fb1a6683e728" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebK", "method": "GET", "path": "\/.idea\/dataSources.local.xml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/dataSources.local.xml HTTP\/1.1", "request_sample": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebK", "evidence": { "method": "GET", "path": "\/.idea\/dataSources.local.xml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/dataSources.local.xml HTTP\/1.1", "request_sample": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebK", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "598caca9d6c1dad1e776751b0990b96152527cb7", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/dataSources.local.xml", "request_line": "GET \/.idea\/dataSources.local.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebK", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/dataSources.local.xml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/dataSources.local.xml", "request_line": "GET \/.idea\/dataSources.local.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/dataSources.local.xml", "evidence_snippet": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebK", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /.idea/WebServers.xml	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /.idea/WebServers.xml UA Mozilla/5.0 (Linux; Android 9; SM-G960F) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.idea/WebServers.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /.idea/WebServers.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.idea/ Ligne de requête `GET /.idea/WebServers.xml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-G960F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.136 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.idea/WebServers.xml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G960F) AppleWebKit/537. Requête brute (extrait) GET /.idea/WebServers.xml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G960F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.136 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "d339eaacdd813eb9cf1c4e97668227b50c9b0706", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "732626ecbb27c33e1b5cffe507928daff3e1ffcb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.456656093315104, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c8d532fd571fd4bc57e235f2c7130d1700018c0e", "event_fingerprint": "6d775d8cf41ac2d73b1e056865837d20251ed807", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0226" ], "matched_pattern_names": [ "Probe \/.idea\/" ], "pattern_ids": [ "pat-0226" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4de7c8accc397a2534f015ff8071e5df", "payload_hash": "d44f05cc2c25d7b204a5b36434b3db63", "path_pattern_hash": "3ef5b863418297cf1b3afb7572309761" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.", "method": "GET", "path": "\/.idea\/WebServers.xml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.136 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/WebServers.xml HTTP\/1.1", "request_sample": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.136 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/.idea\/WebServers.xml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.136 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/WebServers.xml HTTP\/1.1", "request_sample": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.136 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e17c44f1791a3fe7a1d1cbc7768d4b8d4d2deeda", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/WebServers.xml", "request_line": "GET \/.idea\/WebServers.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.136 Mobile Safari\/537.\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/WebServers.xml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/WebServers.xml", "request_line": "GET \/.idea\/WebServers.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.136 Mobile Safari\/537.\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/WebServers.xml", "evidence_snippet": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → 5bʫ]	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole ro 5bʫ] JA3 19e29534fd49dd27 Émulateur HTTP WAF 0 Recommandation Investiguer Tags http_no_ua net_flood net_slowloris Cible HTTP ro 5bʫ] TLS SNI — Capteur paris-1
Preuve / Evidence Méthode ro Port 8080 Chemin / cible 5bʫ] Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ Ligne de requête `RO 5bʫ] HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) ��r��o��5b�ʫ�]��#�ܝ]vĽ ��\o!��b��QZ�?��$��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��r��o�� 5b�ʫ�]��#�ܝ]vĽ ��\o!��b��QZ�?��$��&�+�/�,�0̨̩� �� /5� w �+3&$ ��z�u�� YD�h�q�� 0ٽq��\{ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 0, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "896c7257a0a65203fd3de6a1818a927d9519ae87", "http_referer_hash": null, "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003ro\u0016", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 239, "payload_entropy": 5.811782279278255, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5f9217dc41d7e020be5cfe6a650da409c7f9f55c", "event_fingerprint": "c88d30f1fcb1ed3dcb336e0d71c228ca1d196227", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7047298537ddab63c61f9a9f9c04ff25", "path_pattern_hash": "002a2f74b71952401458c231e88f3dda", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003ro\u0016", "path": "5b\u02ab]", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003RO\u0016 5b\u02ab] HTTP\/1.1", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdr\ufffd\ufffdo\ufffd\ufffd\ufffd\u0016\ufffd\ufffd\u000b5b\ufffd\u02ab\ufffd]\ufffd\u001f\ufffd#\ufffd\u071d]\u0012v\u0001\u013d \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0006o!\ufffd\ufffd\ufffd\ufffd\ufffdb\ufffd\ufffdQ\u001bZ\u001a\ufffd?\ufffd\ufffd\u0010$\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003ro\u0016", "path": "5b\u02ab]", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003RO\u0016 5b\u02ab] HTTP\/1.1", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdr\ufffd\ufffdo\ufffd\ufffd\ufffd\u0016\ufffd\ufffd\u000b5b\ufffd\u02ab\ufffd]\ufffd\u001f\ufffd#\ufffd\u071d]\u0012v\u0001\u013d \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0006o!\ufffd\ufffd\ufffd\ufffd\ufffdb\ufffd\ufffdQ\u001bZ\u001a\ufffd?\ufffd\ufffd\u0010$\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0000\ufffdz\ufffdu\ufffd\ufffd\ufffd\u000bYD\ufffdh\ufffdq\ufffd\ufffd\ufffd\ufffd\f\u001a\ufffd0\u067dq\ufffd\ufffd\\{", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdr\ufffd\ufffdo\ufffd\ufffd\ufffd\u0016\ufffd\ufffd\u000b5b\ufffd\u02ab\ufffd]\ufffd\u001f\ufffd#\ufffd\u071d]\u0012v\u0001\u013d \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0006o!\ufffd\ufffd\ufffd\ufffd\ufffdb\ufffd\ufffdQ\u001bZ\u001a\ufffd?\ufffd\ufffd\u0010$\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aaefc9baf271e087d4e244ef0ec112246972ba9d", "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003ro\u0016", "http_path": "5b\u02ab]", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003RO\u0016 5b\u02ab] HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "\ufffd\ufffd\ufffdr\ufffd\ufffdo\ufffd\ufffd\ufffd\ufffd\ufffd5b\ufffd\u02ab\ufffd]\ufffd\ufffd#\ufffd\u071d]v\u013d \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\o!\ufffd\ufffd\ufffd\ufffd\ufffdb\ufffd\ufffdQZ\ufffd?\ufffd\ufffd$\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 5b\u02ab]", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003ro\u0016", "http_path": "5b\u02ab]", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003RO\u0016 5b\u02ab] HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 5b\u02ab]", "evidence_snippet": "\ufffd\ufffd\ufffdr\ufffd\ufffdo\ufffd\ufffd\ufffd\ufffd\ufffd5b\ufffd\u02ab\ufffd]\ufffd\ufffd#\ufffd\u071d]v\u013d \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\o!\ufffd\ufffd\ufffd\ufffd\ufffdb\ufffd\ufffdQZ\ufffd?\ufffd\ufffd$\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_no_ua", "net_flood", "net_slowloris" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → 8/暲f	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole h8OB{ 8/暲f JA3 19e29534fd49dd27 Émulateur HTTP WAF 0 Recommandation Investiguer Tags http_no_ua net_flood net_slowloris Cible HTTP h8OB{ 8/暲f TLS SNI — Capteur paris-1
Preuve / Evidence Méthode h8OB{ Port 8080 Chemin / cible 8/暲f Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello OpenVPN P_CONTROL TFTP RRQ Ligne de requête `H8OB{ 8/暲f HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) ��h�8�O��B{� 8/��暲f��0� # �){��i��O� ��)��{PV��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��h�8�O��B{� 8/��暲f��0� # �){��i��O� ��)��{PV��&�+�/�,�0̨̩� �� /5� w �+3&$ T�T ��ǘ5j��>��U�� k� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 0, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "4a2eb9fe5b6f49db66d55f1ecb6ce438fd121835", "http_referer_hash": null, "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003h\u00198O\u0014B{", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 239, "payload_entropy": 5.73303915571698, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5f9217dc41d7e020be5cfe6a650da409c7f9f55c", "event_fingerprint": "58ef9cd142ee35a9e8b86c77205c48b89c2e39d9", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0622", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "OpenVPN P_CONTROL", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0622", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c7df50a872adda94bd1a899ad9062dc6", "path_pattern_hash": "5e314b029ddb2680be3c7d19823f33b9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003h\u00198O\u0014B{", "path": "8\/\u66b2f\u0011", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003H\u00198O\u0014B{ 8\/\u66b2f\u0011 HTTP\/1.1", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003h\ufffd\u00198\ufffdO\ufffd\ufffd\u0014B{\ufffd\r8\/\ufffd\ufffd\u66b2f\ufffd\u0011\ufffd\ufffd\u001e\ufffd0\ufffd\r\u001a# \ufffd){\ufffd\u0010\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffdO\ufffd\n\ufffd\ufffd)\u001f\ufffd\ufffd{PV\u0006\u0016\ufffd\ufffd\u0006\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003h\u00198O\u0014B{", "path": "8\/\u66b2f\u0011", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003H\u00198O\u0014B{ 8\/\u66b2f\u0011 HTTP\/1.1", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003h\ufffd\u00198\ufffdO\ufffd\ufffd\u0014B{\ufffd\r8\/\ufffd\ufffd\u66b2f\ufffd\u0011\ufffd\ufffd\u001e\ufffd0\ufffd\r\u001a# \ufffd){\ufffd\u0010\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffdO\ufffd\n\ufffd\ufffd)\u001f\ufffd\ufffd{PV\u0006\u0016\ufffd\ufffd\u0006\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 T\ufffdT\r\ufffd\ufffd\u01d85j\ufffd\ufffd\ufffd\u0003>\u0011\ufffd\u0000\ufffdU\ufffd\u0006\ufffd\ufffd\ufffd\ufffd\ufffd k\u0004\ufffd\u0014", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003h\ufffd\u00198\ufffdO\ufffd\ufffd\u0014B{\ufffd\r8\/\ufffd\ufffd\u66b2f\ufffd\u0011\ufffd\ufffd\u001e\ufffd0\ufffd\r\u001a# \ufffd){\ufffd\u0010\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffdO\ufffd\n\ufffd\ufffd)\u001f\ufffd\ufffd{PV\u0006\u0016\ufffd\ufffd\u0006\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "29da2eefe778f3a257ab06ddd2e0b06d21236b76", "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003h\u00198O\u0014B{", "http_path": "8\/\u66b2f\u0011", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003H\u00198O\u0014B{ 8\/\u66b2f\u0011 HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "\ufffd\ufffdh\ufffd8\ufffdO\ufffd\ufffdB{\ufffd\r8\/\ufffd\ufffd\u66b2f\ufffd\ufffd\ufffd\ufffd0\ufffd\r# \ufffd){\ufffd\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffdO\ufffd\n\ufffd\ufffd)\ufffd\ufffd{PV\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 8\/\u66b2f\u0011", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003h\u00198O\u0014B{", "http_path": "8\/\u66b2f\u0011", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003H\u00198O\u0014B{ 8\/\u66b2f\u0011 HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 8\/\u66b2f\u0011", "evidence_snippet": "\ufffd\ufffdh\ufffd8\ufffdO\ufffd\ufffdB{\ufffd\r8\/\ufffd\ufffd\u66b2f\ufffd\ufffd\ufffd\ufffd0\ufffd\r# \ufffd){\ufffd\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd*O\ufffd\n\ufffd\ufffd)\ufffd\ufffd{PV\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_no_ua", "net_flood", "net_slowloris" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /.idea/deployment.xml	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /.idea/deployment.xml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.idea/deployment.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /.idea/deployment.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.idea/ Ligne de requête `GET /.idea/deployment.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3881.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.idea/deployment.xml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /.idea/deployment.xml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3881.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "6248a21119bdaee134d759b888350000b7a88364", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "ff773c35f260c28fb8b1bfb4252a50f6e0022b05", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.408416155876305, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c8d532fd571fd4bc57e235f2c7130d1700018c0e", "event_fingerprint": "7d092629e36109649537af9a807b0580e44aa0c1", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0226" ], "matched_pattern_names": [ "Probe \/.idea\/" ], "pattern_ids": [ "pat-0226" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "929d4bea413313f1809d74ee02dea465", "payload_hash": "af790d7401af90a00396cca56d53d82b", "path_pattern_hash": "36b6d965d63f408f7c773a687ac24612" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "method": "GET", "path": "\/.idea\/deployment.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3881.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/deployment.xml HTTP\/1.1", "request_sample": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3881.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/.idea\/deployment.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3881.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/deployment.xml HTTP\/1.1", "request_sample": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3881.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fa16522e146a5a319b88884390dd78b30b1dad24", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/deployment.xml", "request_line": "GET \/.idea\/deployment.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3881.0 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/deployment.xml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/deployment.xml", "request_line": "GET \/.idea\/deployment.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3881.0 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/deployment.xml", "evidence_snippet": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /tgu	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole G.hT /tgu JA3 19e29534fd49dd27 Émulateur HTTP WAF 0 Recommandation Investiguer Tags http_no_ua net_flood net_slowloris Cible HTTP G.hT /tgu TLS SNI — Capteur paris-1
Preuve / Evidence Méthode G.hT Port 8080 Chemin / cible /tgu Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ Ligne de requête `G.HT /tgu HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) ��G.��h�T��/t��gu�6�쿭 ��JIzq$��(�Iӷ��wo,��k.'2��+&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��G.��h�T��/t��gu �6�쿭 ��JIzq$��(�Iӷ��wo,��k.'2��+ &�+�/�,�0̨̩� �� /5� w �+3&$ �#�@s� �8�UȞ��A�ARR ��Zf�0n- Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 0, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "c3fae768b38906b5b4538d06184fb82375dcc3f6", "http_referer_hash": null, "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003G.hT", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 239, "payload_entropy": 5.855924674388918, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5f9217dc41d7e020be5cfe6a650da409c7f9f55c", "event_fingerprint": "d97dc6ee98a670366e0706a4c65d444477a85ceb", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0e67a0ca3f31d772352f8cc48b8f6ace", "path_pattern_hash": "577cf0c665438d5c6c670ec89ee18d03", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003G.hT", "path": "\u0015\/t\u0002gu", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003G.HT \u0015\/t\u0002gu HTTP\/1.1", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdG.\ufffd\ufffd\ufffd\ufffdh\ufffdT\ufffd\u001f\u0015\ufffd\/t\ufffd\ufffd\ufffd\ufffd\u0002gu\u000b\ufffd6\ufffd\ucfed \ufffd\ufffdJIzq$\ufffd\ufffd\ufffd(\ufffdI\u04f7\ufffd\ufffdwo,\ufffd\u0001\ufffdk.'\u00012\ufffd\ufffd+\u000b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003G.hT", "path": "\u0015\/t\u0002gu", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003G.HT \u0015\/t\u0002gu HTTP\/1.1", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdG.\ufffd\ufffd\ufffd\ufffdh\ufffdT\ufffd\u001f\u0015\ufffd\/t\ufffd\ufffd\ufffd\ufffd\u0002gu\u000b\ufffd6\ufffd\ucfed \ufffd\ufffdJIzq$\ufffd\ufffd\ufffd(\ufffdI\u04f7\ufffd\ufffdwo,\ufffd\u0001\ufffdk.'\u00012\ufffd\ufffd+\u000b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd#\ufffd@s\ufffd\n \ufffd8\ufffdU\u021e\u001f\ufffd\ufffdA\ufffdARR\n\ufffd\ufffdZf\ufffd0n-", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdG.\ufffd\ufffd\ufffd\ufffdh\ufffdT\ufffd\u001f\u0015\ufffd\/t\ufffd\ufffd\ufffd\ufffd\u0002gu\u000b\ufffd6\ufffd\ucfed \ufffd\ufffdJIzq$\ufffd\ufffd\ufffd(\ufffdI\u04f7\ufffd\ufffdwo,\ufffd\u0001\ufffdk.'\u00012\ufffd\ufffd+\u000b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "26f743edb3e237cfecf30d105cc10e02e3f04464", "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003G.hT", "http_path": "\u0015\/t\u0002gu", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003G.HT \u0015\/t\u0002gu HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "\ufffd\ufffd\ufffdG.\ufffd\ufffd\ufffd\ufffdh\ufffdT\ufffd\ufffd\/t\ufffd\ufffd\ufffd\ufffdgu\ufffd6\ufffd\ucfed \ufffd\ufffdJIzq$\ufffd\ufffd\ufffd(\ufffdI\u04f7\ufffd\ufffdwo,\ufffd\ufffdk.'2\ufffd\ufffd+&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \u0015\/t\u0002gu", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003G.hT", "http_path": "\u0015\/t\u0002gu", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003G.HT \u0015\/t\u0002gu HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \u0015\/t\u0002gu", "evidence_snippet": "\ufffd\ufffd\ufffdG.\ufffd\ufffd\ufffd\ufffdh\ufffdT\ufffd\ufffd\/t\ufffd\ufffd\ufffd\ufffdgu\ufffd6\ufffd\ucfed \ufffd\ufffdJIzq$\ufffd\ufffd\ufffd(\ufffdI\u04f7\ufffd\ufffdwo,\ufffd\ufffdk.'2\ufffd\ufffd+&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_no_ua", "net_flood", "net_slowloris" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → ~~f'*	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole !#TB ~~f'* JA3 19e29534fd49dd27 Émulateur HTTP WAF 0 Recommandation Investiguer Tags http_no_ua net_flood net_slowloris Cible HTTP !#TB ~~f'* TLS SNI — Capteur paris-1
Preuve / Evidence Méthode !#TB Port 8080 Chemin / cible ~~f'* Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ Ligne de requête `!#TB ~~f'* HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) ��!#�TB ��~�~f'��* Ƴ�� ſ��>]S� �u:�մ��d�e�A�}Zz{��$��J��E,&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��!#�TB ��~�~f'��* Ƴ�� ſ��>]S� �u:�մ��d�e�A�}Zz{��$��J��E,&�+�/�,�0̨̩� �� /5� w �+3&$ EW<��B�4�5PU�a�,{/��Ja��m Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 0, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "5f498b9cccb32e02967f6ad81e96d6a66e057e60", "http_referer_hash": null, "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003!#TB", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 239, "payload_entropy": 5.856964360565961, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5f9217dc41d7e020be5cfe6a650da409c7f9f55c", "event_fingerprint": "2a6be802d6c2970130493cd541409df34ee69ee2", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "06c7122190ce4d878a266b58175a6e60", "path_pattern_hash": "e4e5530b6e5098b48954719e9cb31d73", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003!#TB", "path": "\u0013~~f'", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003!#TB \u0013~~f'* HTTP\/1.1", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003!#\ufffdTB \u0013\ufffd\ufffd~\ufffd~f'\ufffd\ufffd\ufffd\r\u01b3\ufffd\ufffd \u017f\ufffd\ufffd>]S\ufffd \ufffdu\u0012:\ufffd\u000e\u0574\ufffd\ufffdd\ufffde\ufffdA\ufffd}Zz{\ufffd\ufffd\u0006$\ufffd\ufffdJ\ufffd\ufffdE,\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003!#TB", "path": "\u0013~~f'", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003!#TB \u0013~~f'* HTTP\/1.1", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003!#\ufffdTB \u0013\ufffd\ufffd~\ufffd~f'\ufffd\ufffd\ufffd\r\u01b3\ufffd\ufffd \u017f\ufffd\ufffd>]S\ufffd \ufffdu\u0012:\ufffd\u000e\u0574\ufffd\ufffdd\ufffde\ufffdA\ufffd}Zz{\ufffd\ufffd\u0006$\ufffd\ufffdJ\ufffd\ufffdE,\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 EW<\ufffd\ufffd\ufffd\u0006\u0014B\ufffd4\ufffd5PU\ufffda\u0014\ufffd,{\/\ufffd\ufffd\ufffdJa\ufffd\ufffdm", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003!#\ufffdTB \u0013\ufffd\ufffd~\ufffd~f'\ufffd\ufffd\ufffd\r\u01b3\ufffd\ufffd \u017f\ufffd\ufffd>]S\ufffd \ufffdu\u0012:\ufffd\u000e\u0574\ufffd\ufffdd\ufffde\ufffdA\ufffd}Zz{\ufffd\ufffd\u0006$\ufffd\ufffdJ\ufffd\ufffdE,\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "64fa2311d5c26c164e15c9402431646fad6afdd7", "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003!#TB", "http_path": "\u0013~~f'", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003!#TB \u0013~~f'* HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "\ufffd\ufffd!#\ufffdTB \ufffd\ufffd~\ufffd~f'\ufffd\ufffd\ufffd\r\u01b3\ufffd\ufffd \u017f\ufffd\ufffd>]S\ufffd \ufffdu:\ufffd\u0574\ufffd\ufffdd\ufffde\ufffdA\ufffd}Zz{\ufffd\ufffd$\ufffd\ufffdJ\ufffd\ufffdE,&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \u0013~~f'", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003!#TB", "http_path": "\u0013~~f'", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003!#TB \u0013~~f' HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \u0013~~f'", "evidence_snippet": "\ufffd\ufffd!#\ufffdTB \ufffd\ufffd~\ufffd~f'\ufffd\ufffd\ufffd\r\u01b3\ufffd\ufffd \u017f\ufffd\ufffd>]S\ufffd \ufffdu:\ufffd\u0574\ufffd\ufffdd\ufffde\ufffdA\ufffd}Zz{\ufffd\ufffd$\ufffd\ufffdJ\ufffd\ufffdE,&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_no_ua", "net_flood", "net_slowloris" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → .	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole zYP . JA3 19e29534fd49dd27 Émulateur HTTP WAF 0 Recommandation Investiguer Tags http_no_ua net_flood net_slowloris Cible HTTP zYP . TLS SNI — Capteur paris-1
Preuve / Evidence Méthode zYP Port 8080 Chemin / cible . Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ Ligne de requête `ZYP . HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) ��z��Y�P��.�� ކK��5'?� @�Č2Ӥc�A荚J��j��Y�N�� &�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��z��Y�P��.�� ކK��5'?� @�Č2Ӥc�A荚J��j��Y� N�� &�+�/�,�0̨̩� �� /5� w �+3&$ �/+��s�ڗ�b� �W�C��j^+�7 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 0, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "\u0000", "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "f3e84b722399601ad7e281754e917478aa9ad48d", "http_referer_hash": null, "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\u0003z\u0001Y\u0006P", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 239, "payload_entropy": 5.851415979115934, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5f9217dc41d7e020be5cfe6a650da409c7f9f55c", "event_fingerprint": "b73fdef7caa16948c8724e38ecec409fda0f06a8", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a32dc9fb666a1f19921befa329fa8776", "path_pattern_hash": "075d3ddf5a3a826e13a92288e853bc4b", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\u0003z\u0001Y\u0006P", "path": ".\u0000", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\u0003Z\u0001Y\u0006P .\u0000 HTTP\/1.1", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0003\ufffdz\ufffd\ufffd\ufffd\u0001Y\ufffd\u0006P\ufffd\ufffd\u001c.\u0000\ufffd\ufffd\r\u0786K\ufffd\ufffd\ufffd\ufffd\ufffd5'?\ufffd @\ufffd\u010c2\u04e4\u0015c\ufffdA\u835aJ\ufffd\ufffd\u0003\u001aj\ufffd\ufffd\ufffdY\ufffd\fN\ufffd\u0007\ufffd\n\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\u0003z\u0001Y\u0006P", "path": ".\u0000", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\u0003Z\u0001Y\u0006P .\u0000 HTTP\/1.1", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0003\ufffdz\ufffd\ufffd\ufffd\u0001Y\ufffd\u0006P\ufffd\ufffd\u001c.\u0000\ufffd\ufffd\r\u0786K\ufffd\ufffd\ufffd\ufffd\ufffd5'?\ufffd @\ufffd\u010c2\u04e4\u0015c\ufffdA\u835aJ\ufffd\ufffd\u0003\u001aj\ufffd\ufffd\ufffdY\ufffd\fN\ufffd\u0007\ufffd\n\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\/+\ufffd\ufffd\ufffds\ufffd\u0697\ufffdb\ufffd\r\ufffd\u000eW\ufffdC\ufffd\ufffd\ufffd\u0010\ufffd\ufffdj^+\ufffd7\n", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0003\ufffdz\ufffd\ufffd\ufffd\u0001Y\ufffd\u0006P\ufffd\ufffd\u001c.\u0000\ufffd\ufffd\r\u0786K\ufffd\ufffd\ufffd\ufffd\ufffd5'?\ufffd @\ufffd\u010c2\u04e4\u0015c\ufffdA\u835aJ\ufffd\ufffd\u0003\u001aj\ufffd\ufffd\ufffdY\ufffd\fN\ufffd\u0007\ufffd\n\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "423631aa8cd4e198b04b54dcf389a7a2277de5e6", "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\u0003z\u0001Y\u0006P", "http_path": ".\u0000", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\u0003Z\u0001Y\u0006P .\u0000 HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "\ufffd\ufffd\ufffdz\ufffd\ufffd\ufffdY\ufffdP\ufffd\ufffd.\ufffd\ufffd\r\u0786K\ufffd\ufffd\ufffd\ufffd\ufffd5'?\ufffd @\ufffd\u010c2\u04e4c\ufffdA\u835aJ\ufffd\ufffdj\ufffd\ufffd\ufffdY\ufffdN\ufffd\ufffd\n&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 .\u0000", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\u0003z\u0001Y\u0006P", "http_path": ".\u0000", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\u0003Z\u0001Y\u0006P .\u0000 HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 .\u0000", "evidence_snippet": "\ufffd\ufffd\ufffdz\ufffd\ufffd\ufffdY\ufffdP\ufffd\ufffd.\ufffd\ufffd\r\u0786K\ufffd\ufffd\ufffd\ufffd\ufffd5'?\ufffd @\ufffd\u010c2\u04e4c\ufffdA\u835aJ\ufffd\ufffdj\ufffd\ufffd\ufffdY\ufffdN\ufffd\ufffd\n&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_no_ua", "net_flood", "net_slowloris" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → 9kP̌5"OHt[c*	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole f 9kP̌5"OHt[c* JA3 19e29534fd49dd27 Émulateur HTTP WAF 0 Recommandation Investiguer Tags http_no_ua net_flood net_slowloris Cible HTTP f 9kP̌5"OHt[c* TLS SNI — Capteur paris-1
Preuve / Evidence Méthode f Port 8080 Chemin / cible 9kP̌5"OHt[c* Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ Ligne de requête `F 9kP̌5"OHt[c* HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) ��f��9��k��P��̌�5"O�H�t[c�� �+�� ue�I�b��6�oVnW��Q,&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��f��9��k��P��̌�5"O�H�t[c�� �+�� ue�I�b��6�oVnW��Q,&�+�/�,�0̨̩� �� /5� w �+3&$ �� D��&xmyl�%�12P�3��^GT Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 0, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "60b8b6466e970138ad773253822223ca9bd11a2f", "http_referer_hash": null, "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003f", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 239, "payload_entropy": 5.910799744655154, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5f9217dc41d7e020be5cfe6a650da409c7f9f55c", "event_fingerprint": "d8f28d1703a7ab92b9e028e277b385faa373f604", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "dfc271a051f387d56c00ebd28eb02745", "path_pattern_hash": "f9492c5a5a58e10c2c9cfca896d934a9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003f", "path": "9k\u0011P\u030c5\"O\u0003Ht[c", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003F 9k\u0011P\u030c5\"O\u0003Ht[c HTTP\/1.1", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003f\ufffd\u001e\ufffd\ufffd9\ufffd\ufffdk\ufffd\ufffd\u0011\ufffdP\ufffd\ufffd\u030c\ufffd5\"O\u0003\ufffdH\ufffdt[c\ufffd\ufffd \ufffd+\ufffd\ufffd\t\ufffdu\u0019e\ufffdI\ufffdb\u0012\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffdoV\u0017\u0012nW\u000f\ufffd\ufffdQ,\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003f", "path": "9k\u0011P\u030c5\"O\u0003Ht[c", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003F 9k\u0011P\u030c5\"O\u0003Ht[c* HTTP\/1.1", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003f\ufffd\u001e\ufffd\ufffd9\ufffd\ufffdk\ufffd\ufffd\u0011\ufffdP\ufffd\ufffd\u030c\ufffd5\"O\u0003\ufffdH\ufffdt[c\ufffd\ufffd \ufffd+\ufffd\ufffd\t\ufffdu\u0019e\ufffdI\ufffdb\u0012\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffdoV\u0017\u0012nW\u000f\ufffd\ufffdQ,\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \f\ufffd\ufffd\ufffd\u000b\u001f\ufffdD\ufffd\ufffd\ufffd&xm\u000ey\u0005l\ufffd%\ufffd12P\ufffd3\ufffd\ufffd^GT\u001c", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003f\ufffd\u001e\ufffd\ufffd9\ufffd\ufffdk\ufffd\ufffd\u0011\ufffdP\ufffd\ufffd\u030c\ufffd5\"O\u0003\ufffdH\ufffdt[c\ufffd\ufffd \ufffd+\ufffd\ufffd\t\ufffdu\u0019e\ufffdI\ufffdb\u0012\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffdoV\u0017\u0012nW\u000f\ufffd\ufffdQ,\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "316d59e2faeeeb994161598565c1d8d337593546", "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003f", "http_path": "9k\u0011P\u030c5\"O\u0003Ht[c", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003F 9k\u0011P\u030c5\"O\u0003Ht[c HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "\ufffd\ufffdf\ufffd\ufffd\ufffd9\ufffd\ufffdk\ufffd\ufffd\ufffdP\ufffd\ufffd\u030c\ufffd5\"O\ufffdH\ufffdt[c\ufffd\ufffd \ufffd+\ufffd\ufffd\t\ufffdue\ufffdI\ufffdb\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffdoVnW\ufffd\ufffdQ,&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 9k\u0011P\u030c5\"O\u0003Ht[c", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003f", "http_path": "9k\u0011P\u030c5\"O\u0003Ht[c", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003F 9k\u0011P\u030c5\"O\u0003Ht[c HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 9k\u0011P\u030c5\"O\u0003Ht[c", "evidence_snippet": "\ufffd\ufffdf\ufffd\ufffd\ufffd9\ufffd\ufffdk\ufffd\ufffd\ufffdP\ufffd\ufffd\u030c\ufffd5\"O\ufffdH\ufffdt[c\ufffd\ufffd \ufffd+\ufffd\ufffd\t\ufffdue\ufffdI\ufffdb\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffdoVnW\ufffd\ufffdQ,&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_no_ua", "net_flood", "net_slowloris" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → ]B	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole kzIxa ]B JA3 19e29534fd49dd27 Émulateur HTTP WAF 0 Recommandation Investiguer Tags http_no_ua net_flood net_slowloris Cible HTTP kzIxa ]B TLS SNI — Capteur paris-1
Preuve / Evidence Méthode kzIxa Port 8080 Chemin / cible ]B Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ Ligne de requête `KZIXA ]B HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) ��kzIx�a��]B �Hu%9�k�� [G# .�w�gK �� pYN:_n�pw,;��gL�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��kzIx�a��]B �Hu%9�k�� [G# .�w�gK �� pYN:_n�pw,;��gL�&�+�/�,�0̨̩� �� /5� w �+3&$ ؙ�/{��$�9��+��Q'�s�3�x�& Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 0, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "12a3bd64ab06d0aa7a4294b35d14a53387ccd35a", "http_referer_hash": null, "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\u000fkzIxa", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 239, "payload_entropy": 5.736420244932727, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5f9217dc41d7e020be5cfe6a650da409c7f9f55c", "event_fingerprint": "0be105b1f5006db5d244a95dc3460aa4f06856eb", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f1ff97e67b8ebae39f0219709286e0fb", "path_pattern_hash": "7e112126c79d256c51d7616c9f299ac2", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\u000fkzIxa", "path": "]B", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\u000fKZIXA ]B HTTP\/1.1", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000fkzIx\ufffda\u001d\ufffd\ufffd\ufffd]B \ufffdHu%9\ufffdk\ufffd\ufffd\t\ufffd\ufffd[\u0001G# .\ufffd\u0001w\b\ufffdgK\t\u0013\ufffd\ufffd\npYN:_n\ufffdpw\u0000,;\ufffd\ufffd\ufffd\ufffdgL\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\u000fkzIxa", "path": "]B", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\u000fKZIXA ]B HTTP\/1.1", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000fkzIx\ufffda\u001d\ufffd\ufffd\ufffd]B \ufffdHu%9\ufffdk\ufffd\ufffd\t\ufffd\ufffd[\u0001G# .\ufffd\u0001w\b\ufffdgK\t\u0013\ufffd\ufffd\npYN:_n\ufffdpw\u0000,;\ufffd\ufffd\ufffd\ufffdgL\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0619\ufffd\u001e\/{\ufffd\ufffd$\ufffd9\ufffd\ufffd\u0019+\ufffd\u0015\ufffd\ufffdQ\u001e'\u001e\u001a\ufffds\ufffd3\ufffdx\ufffd&", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000fkzIx\ufffda\u001d\ufffd\ufffd\ufffd]B \ufffdHu%9\ufffdk\ufffd\ufffd\t\ufffd\ufffd[\u0001G# .\ufffd\u0001w\b\ufffdgK\t\u0013\ufffd\ufffd\npYN:_n\ufffdpw\u0000,;\ufffd\ufffd\ufffd\ufffdgL\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "197fc5cfa791ec382ba124f95409ef0438da67b6", "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\u000fkzIxa", "http_path": "]B", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\u000fKZIXA ]B HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "\ufffd\ufffd\ufffdkzIx\ufffda\ufffd\ufffd\ufffd]B \ufffdHu%9\ufffdk\ufffd\ufffd\t\ufffd\ufffd[G# .\ufffdw\ufffdgK\t\ufffd\ufffd\npYN:_n\ufffdpw,;\ufffd\ufffd\ufffd\ufffdgL\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 ]B", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\u000fkzIxa", "http_path": "]B", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003\u000fKZIXA ]B HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 ]B", "evidence_snippet": "\ufffd\ufffd\ufffdkzIx\ufffda\ufffd\ufffd\ufffd]B \ufffdHu%9\ufffdk\ufffd\ufffd\t\ufffd\ufffd[G# .\ufffdw\ufffdgK\t\ufffd\ufffd\npYN:_n\ufffdpw,;\ufffd\ufffd\ufffd\ufffdgL\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_no_ua", "net_flood", "net_slowloris" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → WK^S	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole )7JM WK^S JA3 19e29534fd49dd27 Émulateur HTTP WAF 0 Recommandation Investiguer Tags http_no_ua net_flood net_slowloris Cible HTTP )7JM WK^S TLS SNI — Capteur paris-1
Preuve / Evidence Méthode )7JM Port 8080 Chemin / cible WK^S Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ Ligne de requête `)7JM WK^S HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) ��)7JM W�K�^��S%��%DujKv�#�[� �g�F��\�ow"5��K��yf��#h>��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��)7JM W�K�^��S%��%DujKv�#�[� �g�F��\�ow"5��K��yf��#h>��&�+�/�,�0̨̩� �� /5� w �+3&$ ��T4��T��F0��o9�d�>u��ʲU Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 0, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "04e67543201e6a255b028ad313e7b70e05a95162", "http_referer_hash": null, "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003)\u00037JM", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 239, "payload_entropy": 5.8007464099302055, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5f9217dc41d7e020be5cfe6a650da409c7f9f55c", "event_fingerprint": "6a8d02f570dae23c7b4b8e824870a25535dab537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b0722a516070b6ed675ccfd98550783a", "path_pattern_hash": "fd41014617a63d24aed17dedfdceed52", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003)\u00037JM", "path": "W\u0001K^S\u0000", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003)\u00037JM W\u0001K^S\u0000 HTTP\/1.1", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)\u00037JM\tW\ufffd\u0001K\ufffd^\ufffd\ufffdS\u0000\u001c%\ufffd\ufffd\u001f%DujKv\ufffd#\ufffd[\ufffd \ufffdg\u0013\ufffdF\u001b\ufffd\ufffd\\\ufffdow\u0018\"5\ufffd\u0007\ufffdK\ufffd\ufffdyf\ufffd\u001b\ufffd#h>\ufffd\u0010\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003)\u00037JM", "path": "W\u0001K^S\u0000", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003)\u00037JM W\u0001K^S\u0000 HTTP\/1.1", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)\u00037JM\tW\ufffd\u0001K\ufffd^\ufffd\ufffdS\u0000\u001c%\ufffd\ufffd\u001f%DujKv\ufffd#\ufffd[\ufffd \ufffdg\u0013\ufffdF\u001b\ufffd\ufffd\\\ufffdow\u0018\"5\ufffd\u0007\ufffdK\ufffd\ufffdyf\ufffd\u001b\ufffd#h>\ufffd\u0010\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\ufffdT4\ufffd\ufffdT\ufffd\ufffd\u001eF\u00070\ufffd\ufffdo9\ufffdd\ufffd>u\ufffd\u0005\ufffd\ufffd\u02b2U", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)\u00037JM\tW\ufffd\u0001K\ufffd^\ufffd\ufffdS\u0000\u001c%\ufffd\ufffd\u001f%DujKv\ufffd#\ufffd[\ufffd \ufffdg\u0013\ufffdF\u001b\ufffd\ufffd\\\ufffdow\u0018\"5\ufffd\u0007\ufffdK\ufffd\ufffdyf\ufffd\u001b\ufffd#h>\ufffd\u0010\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "84854e7897ba6ba7a8dc511c505c6ea338a970e3", "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003)\u00037JM", "http_path": "W\u0001K^S\u0000", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003)\u00037JM W\u0001K^S\u0000 HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "\ufffd\ufffd)7JM\tW\ufffdK\ufffd^\ufffd\ufffdS%\ufffd\ufffd%DujKv\ufffd#\ufffd[\ufffd \ufffdg\ufffdF\ufffd\ufffd\\\ufffdow\"5\ufffd\ufffdK\ufffd\ufffdyf\ufffd\ufffd#h>\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 W\u0001K^S\u0000", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003)\u00037JM", "http_path": "W\u0001K^S\u0000", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003)\u00037JM W\u0001K^S\u0000 HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 W\u0001K^S\u0000", "evidence_snippet": "\ufffd\ufffd)7JM\tW\ufffdK\ufffd^\ufffd\ufffdS%\ufffd\ufffd%DujKv\ufffd#\ufffd[\ufffd \ufffdg\ufffdF\ufffd\ufffd\\\ufffdow\"5\ufffd\ufffdK\ufffd\ufffdyf\ufffd\ufffd#h>\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_no_ua", "net_flood", "net_slowloris" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /.vscode/launch.json	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /.vscode/launch.json UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.vscode/launch.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /.vscode/launch.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.vscode/ Ligne de requête `GET /.vscode/launch.json HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.vscode/launch.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKi Requête brute (extrait) GET /.vscode/launch.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "18d0c4c66bfeb47f5713a590ffcf98a2b0de5ca4", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "f955acacb64b027ce0fe999c2601f7358bc4da5a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.34888390070135, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c8d532fd571fd4bc57e235f2c7130d1700018c0e", "event_fingerprint": "0a7be8d69db6c28bb75ef1bb4fd36311ab23caad", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0227" ], "matched_pattern_names": [ "Probe \/.vscode\/" ], "pattern_ids": [ "pat-0227" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea9a3dec4dce8747ef8c835f03590297", "payload_hash": "20126f0cfd3c94ad0adf6fa7956ffa77", "path_pattern_hash": "2ff6c8576629cb803256f3fb9cd546fa" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKi", "method": "GET", "path": "\/.vscode\/launch.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/launch.json HTTP\/1.1", "request_sample": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKi", "evidence": { "method": "GET", "path": "\/.vscode\/launch.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/launch.json HTTP\/1.1", "request_sample": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKi", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e39beb7ffe41ba56f38a8dc98c32b72de317bbaf", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/launch.json", "request_line": "GET \/.vscode\/launch.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKi", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/launch.json", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/launch.json", "request_line": "GET \/.vscode\/launch.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/launch.json", "evidence_snippet": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKi", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /.gitlab-ci.yml	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /.gitlab-ci.yml UA portalmmm/2.0 N410i(c20;TB) Émulateur HTTP WAF 7 Recommandation Investiguer Tags 950326:rce-0 http_sensitive_path net_flood Cible HTTP GET /.gitlab-ci.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /.gitlab-ci.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.gitlab-ci.yml HTTP/1.1` User-Agent portalmmm/2.0 N410i(c20;TB) Règles WAF rce-0 Payload (extrait) GET /.gitlab-ci.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: portalmmm/2.0 N410i(c20;TB) Accept-Charset: utf-8 Accept-Enco Requête brute (extrait) GET /.gitlab-ci.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: portalmmm/2.0 N410i(c20;TB) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "da71d19ef6e80493b963399c833008807dd6b50f", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "438af05b92495206533fc223d46e511d40c32485", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 161, "payload_entropy": 5.213760335524839, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 36, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 36, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "dbcfc7e239dae73431c79ab3a1cb628d00dfbf97", "event_fingerprint": "fa79ac47032d5172ab2503c9218e6b1ed330ed1e", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 36, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e2939652b62a2b1b92a23872375861de", "payload_hash": "c827a67779adab9ce80f17fadbd54b72", "path_pattern_hash": "1c248e6546ed96558dfcda198b4e61ef" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: portalmmm\/2.0 N410i(c20;TB)\r\nAccept-Charset: utf-8\r\nAccept-Enco", "method": "GET", "path": "\/.gitlab-ci.yml", "user_agent": "portalmmm\/2.0 N410i(c20;TB)", "waf_tags": [ "950326:rce-0" ], "waf_rule_names": [ "rce-0" ], "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "request_sample": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: portalmmm\/2.0 N410i(c20;TB)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: portalmmm\/2.0 N410i(c20;TB)\r\nAccept-Charset: utf-8\r\nAccept-Enco", "evidence": { "method": "GET", "path": "\/.gitlab-ci.yml", "user_agent": "portalmmm\/2.0 N410i(c20;TB)", "waf_tags": [ "950326:rce-0" ], "waf_rule_names": [ "rce-0" ], "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "request_sample": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: portalmmm\/2.0 N410i(c20;TB)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: portalmmm\/2.0 N410i(c20;TB)\r\nAccept-Charset: utf-8\r\nAccept-Enco", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4d5b9ac6cbfe25f24bbc14fa1b6e319e57b15ed9", "protocol_details": { "http_method": "GET", "http_path": "\/.gitlab-ci.yml", "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "http_user_agent": "portalmmm\/2.0 N410i(c20;TB)", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: portalmmm\/2.0 N410i(c20;TB)\r\nAccept-Charset: utf-8\r\nAccept-Enco", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitlab-ci.yml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 36, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.gitlab-ci.yml", "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "http_user_agent": "portalmmm\/2.0 N410i(c20;TB)", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitlab-ci.yml", "evidence_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: portalmmm\/2.0 N410i(c20;TB)\r\nAccept-Charset: utf-8\r\nAccept-Enco", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 36 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /.vscode/tasks.json	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /.vscode/tasks.json UA Mozilla/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.vscode/tasks.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /.vscode/tasks.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.vscode/ Ligne de requête `GET /.vscode/tasks.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.vscode/tasks.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit/537.3 Requête brute (extrait) GET /.vscode/tasks.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "437bd15ff58b2f59ab74723917d34ccc4b225b07", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "92e911a3df5ad35698662851e6649fca8b9cc765", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.4436935341879265, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c8d532fd571fd4bc57e235f2c7130d1700018c0e", "event_fingerprint": "86dea2d5af3b8b90b0c294c4a8b6cc11641538a4", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0227" ], "matched_pattern_names": [ "Probe \/.vscode\/" ], "pattern_ids": [ "pat-0227" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "25c221e4c832d379f43feb5348f480df", "payload_hash": "214516a07fbc99cc32086195a7f0d768", "path_pattern_hash": "71d0e06039e234c8f571eb83415e4643" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.3", "method": "GET", "path": "\/.vscode\/tasks.json", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/tasks.json HTTP\/1.1", "request_sample": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/.vscode\/tasks.json", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/tasks.json HTTP\/1.1", "request_sample": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "52c636ae3d5c03d96c70349bacd88d3f9e236e4b", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/tasks.json", "request_line": "GET \/.vscode\/tasks.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.3", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/tasks.json", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/tasks.json", "request_line": "GET \/.vscode\/tasks.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/tasks.json", "evidence_snippet": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.3", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /.vscode/sftp.json	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /.vscode/sftp.json UA Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebK… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.vscode/sftp.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /.vscode/sftp.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.vscode/ Ligne de requête `GET /.vscode/sftp.json HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.vscode/sftp.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleW Requête brute (extrait) GET /.vscode/sftp.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25 Accept-Charset: utf-8 Accept-Encoding: gzip Connect Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "348bfc67931f66030b19bb33f3525c4330e222ad", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "a7b754a65cd3a72c45519ffad56ec4883c279ab1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 270, "payload_entropy": 5.367713042169516, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c8d532fd571fd4bc57e235f2c7130d1700018c0e", "event_fingerprint": "8df1255c216fed121b64e95e1d24755759d2d274", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0227" ], "matched_pattern_names": [ "Probe \/.vscode\/" ], "pattern_ids": [ "pat-0227" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3b5da2dbddd14957f937a96cc0ffd121", "payload_hash": "5668778d6ed351c07be6ecbf4e43e472", "path_pattern_hash": "4379ee7559d68deac5f1bf414dd60187" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleW", "method": "GET", "path": "\/.vscode\/sftp.json", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML, like Gecko) Version\/6.0 Mobile\/10A403 Safari\/8536.25", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/sftp.json HTTP\/1.1", "request_sample": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML, like Gecko) Version\/6.0 Mobile\/10A403 Safari\/8536.25\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleW", "evidence": { "method": "GET", "path": "\/.vscode\/sftp.json", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML, like Gecko) Version\/6.0 Mobile\/10A403 Safari\/8536.25", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/sftp.json HTTP\/1.1", "request_sample": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML, like Gecko) Version\/6.0 Mobile\/10A403 Safari\/8536.25\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleW", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4fe4809c1dad941e6ca324b23ade1a1bfcab3f93", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/sftp.json", "request_line": "GET \/.vscode\/sftp.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML, like Gecko) Version\/6.0 Mobile\/10A403 \u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleW", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/sftp.json", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/sftp.json", "request_line": "GET \/.vscode\/sftp.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit\/536.26 (KHTML, like Gecko) Version\/6.0 Mobile\/10A403 \u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/sftp.json", "evidence_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleW", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /.travis.yml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /.travis.yml UA Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleW… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /.travis.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /.travis.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.travis.yml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit/532.8 (KHTML, like Gecko) Chrome/4.0.302.2 Safari/532.8 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.travis.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebK Requête brute (extrait) GET /.travis.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit/532.8 (KHTML, like Gecko) Chrome/4.0.302.2 Safari/532.8 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "ce218f184e1cba9966d89e89b9755866baa2d9f7", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "0f539eb712332002814a106c4304479b90529490", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.4009581887342195, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "af46f4490583348c3c97a1341b3608ca1dbd9fcc", "event_fingerprint": "3748d44d8b6115ece670f06852dac55ce2e3c2f2", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5674afcbbfe82c9d6448386553bdc64c", "payload_hash": "737cfeaa9939fc4d7918c50aa2a0db08", "path_pattern_hash": "31215e4931d9a8bb956098a35abb0b27" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebK", "method": "GET", "path": "\/.travis.yml", "user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit\/532.8 (KHTML, like Gecko) Chrome\/4.0.302.2 Safari\/532.8", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.travis.yml HTTP\/1.1", "request_sample": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit\/532.8 (KHTML, like Gecko) Chrome\/4.0.302.2 Safari\/532.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebK", "evidence": { "method": "GET", "path": "\/.travis.yml", "user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit\/532.8 (KHTML, like Gecko) Chrome\/4.0.302.2 Safari\/532.8", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.travis.yml HTTP\/1.1", "request_sample": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit\/532.8 (KHTML, like Gecko) Chrome\/4.0.302.2 Safari\/532.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebK", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "876b8bcb55201e0a2150ab6a31b566b23c1b413c", "protocol_details": { "http_method": "GET", "http_path": "\/.travis.yml", "request_line": "GET \/.travis.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit\/532.8 (KHTML, like Gecko) Chrome\/4.0.302.2 Safari\/\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebK", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.travis.yml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.travis.yml", "request_line": "GET \/.travis.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit\/532.8 (KHTML, like Gecko) Chrome\/4.0.302.2 Safari\/\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.travis.yml", "evidence_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebK", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /.vscode/settings.json	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /.vscode/settings.json UA Mozilla/5.0 (Linux; Android 9; SM-G965U) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.vscode/settings.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /.vscode/settings.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.vscode/ Ligne de requête `GET /.vscode/settings.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-G965U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.vscode/settings.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965U) AppleWebKit/537 Requête brute (extrait) GET /.vscode/settings.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "2e2c19c1d95990a188ae2dc3e112475ddb923307", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "8f13238caccb97889bb93a57a58c8206b67c85b5", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 262, "payload_entropy": 5.403935372130708, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "00c51445fa3ba55029b5810df9c7576690035d82", "event_fingerprint": "87349f5b28e46044ef3f1de50af211675933fdb5", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0227" ], "matched_pattern_names": [ "Probe \/.vscode\/" ], "pattern_ids": [ "pat-0227" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0fc9f1f9e51b48f63de3565001461eb9", "payload_hash": "0c6d6710752fe66bcbf5157b91970dd6", "path_pattern_hash": "f5f67949e6b52d5014abefc02d1fe9f6" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537", "method": "GET", "path": "\/.vscode\/settings.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/settings.json HTTP\/1.1", "request_sample": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/.vscode\/settings.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/settings.json HTTP\/1.1", "request_sample": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5046932c6621a15c3e973b889c030ca7ebf03f0a", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/settings.json", "request_line": "GET \/.vscode\/settings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/settings.json", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/settings.json", "request_line": "GET \/.vscode\/settings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/settings.json", "evidence_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /.github/workflows/deploy.yml	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /.github/workflows/deploy.yml UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /.github/workflows/deploy.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /.github/workflows/deploy.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.github/workflows/deploy.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 YaBrowser/19.7.2.455 Yowser/2.5 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.github/workflows/deploy.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/5 Requête brute (extrait) GET /.github/workflows/deploy.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 YaBrowser/19.7.2.455 Yowser/2.5 Safari/537.36 Accept-Charset: utf-8 Accept-Enco Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "f7ce96bd7c374c46ea88f4107d82471aff5c9393", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "9a980960a1dce8601282270803934f12c1e6c3d4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 289, "payload_entropy": 5.480300014128337, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f24d73037dd04e590012c09b25bf8c9691e73b29", "event_fingerprint": "9c1b89056bef23d8803a06d894c31fe7dbf4e3cb", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "afad000495b25fb36d68911567b040db", "payload_hash": "97f89adbce75b657909d8bf9efa7a46a", "path_pattern_hash": "76cfbca880390f07dc02774a92e03828" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/5", "method": "GET", "path": "\/.github\/workflows\/deploy.yml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.455 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.455 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Enco", "payload_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/.github\/workflows\/deploy.yml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.455 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.455 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Enco", "payload_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/5", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2684cba7990ce19b527614e5e202eaf302e03bcf", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/deploy.yml", "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.455 Yo\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/5", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/deploy.yml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/deploy.yml", "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.455 Yo\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/deploy.yml", "evidence_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/5", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:15:18 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /.github/workflows/main.yml	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /.github/workflows/main.yml UA Xenu Link Sleuth/1.3.8 Émulateur HTTP WAF 6 Recommandation Investiguer Tags 950468:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /.github/workflows/main.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /.github/workflows/main.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.github/workflows/main.yml HTTP/1.1` User-Agent Xenu Link Sleuth/1.3.8 Règles WAF nosqli-3 Payload (extrait) GET /.github/workflows/main.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Xenu Link Sleuth/1.3.8 Accept-Charset: utf-8 Acce Requête brute (extrait) GET /.github/workflows/main.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Xenu Link Sleuth/1.3.8 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "7afec00fd78e19adcef4d1b0c495d9edd7717dda", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "235caf8bc184fcd8b7671c244cc53e88d83bf97b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 168, "payload_entropy": 5.200375271932287, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BR", "dst_port": 8080, "risk_waf": 32, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "0fa5e9388cf78d3869290f7f8cf66816f54b8401", "event_fingerprint": "b6832d0299bac21911be5aa9b58e7a06c7d33c2e", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9caa3e08342c15ecbc94deb812d26cd7", "payload_hash": "65c62063b8d634e736edeabb6dbb7f16", "path_pattern_hash": "e05ba7286924149fefd56c25594fa0c5" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Xenu Link Sleuth\/1.3.8\r\nAccept-Charset: utf-8\r\nAcce", "method": "GET", "path": "\/.github\/workflows\/main.yml", "user_agent": "Xenu Link Sleuth\/1.3.8", "waf_tags": [ "950468:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/.github\/workflows\/main.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Xenu Link Sleuth\/1.3.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Xenu Link Sleuth\/1.3.8\r\nAccept-Charset: utf-8\r\nAcce", "evidence": { "method": "GET", "path": "\/.github\/workflows\/main.yml", "user_agent": "Xenu Link Sleuth\/1.3.8", "waf_tags": [ "950468:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/.github\/workflows\/main.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Xenu Link Sleuth\/1.3.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Xenu Link Sleuth\/1.3.8\r\nAccept-Charset: utf-8\r\nAcce", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d66ac5ae454bbc60549a45d75b25061c7ecebc0a", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/main.yml", "request_line": "GET \/.github\/workflows\/main.yml HTTP\/1.1", "http_user_agent": "Xenu Link Sleuth\/1.3.8", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Xenu Link Sleuth\/1.3.8\r\nAccept-Charset: utf-8\r\nAcce", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/main.yml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/main.yml", "request_line": "GET \/.github\/workflows\/main.yml HTTP\/1.1", "http_user_agent": "Xenu Link Sleuth\/1.3.8", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/main.yml", "evidence_snippet": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Xenu Link Sleuth\/1.3.8\r\nAccept-Charset: utf-8\r\nAcce", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }

35.198.38.231

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence