Renseignement sur les menaces

R.A.S. chinoise de Hong Kong

35.220.230.19

FAI Google LLC Première vue 15/06/2026 21:17 UTC Dernière vue 15/06/2026 21:18 UTC Risque Critique

Période analysée : 2026-05-17 → 2026-06-16

Activité suspecte — risque 55/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTP

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Critique · Risque max (7j) Critique

Synthèse exécutive

Profil de menace

Score de risque 89/100 Critique

Première observation 15/06/2026 21:17 UTC

Dernière observation 15/06/2026 21:18 UTC

Événements (période) 608

MITRE ATT&CK principal T1499 477 occurrences

Activité suspecte — risque 55/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTP

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_flood » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 60 · 2 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 35.220.224.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 608 événements sur la période pour cette IP.

35.203.211.149 Scanner web 16/06/2026 12:14 UTC
34.78.23.28 Sonde port 12427/TCP 16/06/2026 12:13 UTC
34.78.243.65 Sonde port 8605/TCP 16/06/2026 12:13 UTC
34.14.117.1 Sonde port 8383/TCP 16/06/2026 12:13 UTC
34.38.195.167 Sonde port 18093/TCP 16/06/2026 12:13 UTC
35.233.88.72 Sonde port 4401/TCP 16/06/2026 12:13 UTC
35.205.114.199 Sonde port 5242/TCP 16/06/2026 12:13 UTC
162.216.150.62 Scanner web 16/06/2026 12:13 UTC

Événements (filtres)

608

Première observation

15/06/2026 21:17 UTC

Dernière observation

15/06/2026 21:18 UTC

Dernière activité (filtres)

15/06/2026 21:18 UTC

Événements 7j

608

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Géolocalisation

Origine réseau déclarée

R.A.S. chinoise de Hong Kong unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 8080 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

http flood · via HTTP:8080 · (tentative d'exploit) · → /private.key

Détails protocole

Méthode: GET
Chemin: /private.key
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.…

Aperçu payload

GET /private.key HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36

Port / service

8080 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 100 % — 2 tag(s) WAF

Technique MITRE

T1499

Persona capteur

mail.sensor-1.internal

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1499 Upstream Waf Score

Confiance

100%

Famille de menace

ddos

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

608 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

608 événement(s) — page 7/13

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /exports/sendgrid.zip	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /exports/sendgrid.zip UA SearchExpress Émulateur HTTP WAF 6 Recommandation Investiguer Tags 950468:nosqli-3 http_backup_path net_flood Cible HTTP GET /exports/sendgrid.zip TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /exports/sendgrid.zip Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /exports/sendgrid.zip HTTP/1.1` User-Agent SearchExpress Règles WAF nosqli-3 Payload (extrait) GET /exports/sendgrid.zip HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: SearchExpress Accept-Charset: utf-8 Accept-Encoding: gz Requête brute (extrait) GET /exports/sendgrid.zip HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: SearchExpress Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "zip", "http_ua_hash": "0f34e46ee455e3902ab13bd0e9ef41f45fdb19f3", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "255856972a57f3209425759908f154c8f6e011bd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 153, "payload_entropy": 5.022373681868387, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 32, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "7579dba51e75be848b56bc4c6f398535eddabd55", "event_fingerprint": "ae7629220b9de46e9b4742d542ff4e1e5f07bbbf", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "079271c120bdf55f3ee944ef880898e1", "payload_hash": "1213f4de7c1478778e093dd57e7f11fa", "path_pattern_hash": "4fcaa425fc6a702b5d0706e2b0db114b" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/exports\/sendgrid.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: SearchExpress\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "method": "GET", "path": "\/exports\/sendgrid.zip", "user_agent": "SearchExpress", "waf_tags": [ "950468:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/exports\/sendgrid.zip HTTP\/1.1", "request_sample": "GET \/exports\/sendgrid.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: SearchExpress\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/exports\/sendgrid.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: SearchExpress\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "evidence": { "method": "GET", "path": "\/exports\/sendgrid.zip", "user_agent": "SearchExpress", "waf_tags": [ "950468:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/exports\/sendgrid.zip HTTP\/1.1", "request_sample": "GET \/exports\/sendgrid.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: SearchExpress\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/exports\/sendgrid.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: SearchExpress\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "93ae7c49c7eacf451b77920d95c238cce404b4e5", "protocol_details": { "http_method": "GET", "http_path": "\/exports\/sendgrid.zip", "request_line": "GET \/exports\/sendgrid.zip HTTP\/1.1", "http_user_agent": "SearchExpress", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/exports\/sendgrid.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: SearchExpress\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/exports\/sendgrid.zip", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/exports\/sendgrid.zip", "request_line": "GET \/exports\/sendgrid.zip HTTP\/1.1", "http_user_agent": "SearchExpress", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/exports\/sendgrid.zip", "evidence_snippet": "GET \/exports\/sendgrid.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: SearchExpress\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "http_backup_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /sendgrid-config.zip	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid-config.zip UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_backup_path net_flood Cible HTTP GET /sendgrid-config.zip TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /sendgrid-config.zip Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid-config.zip HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.42 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid-config.zip HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKi Requête brute (extrait) GET /sendgrid-config.zip HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.42 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "zip", "http_ua_hash": "74d7f7b960e67c6029324b532e3bf5abc8d49e3b", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "8fc5cc57db8e9b48e0b44a097d8a9ab081b588e3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.416704634104034, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4746ab84d629e04ba902615840f91305535047d3", "event_fingerprint": "495022146d57452f85136665ede2120b37046dcc", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d13f14c9d234a4a407f91367c2ec6b1e", "payload_hash": "d6eff989f897701191f80adfb62279ce", "path_pattern_hash": "a9cc80cd6b2be5486053ff3b72269bc2" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/sendgrid-config.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKi", "method": "GET", "path": "\/sendgrid-config.zip", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid-config.zip HTTP\/1.1", "request_sample": "GET \/sendgrid-config.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/sendgrid-config.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKi", "evidence": { "method": "GET", "path": "\/sendgrid-config.zip", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid-config.zip HTTP\/1.1", "request_sample": "GET \/sendgrid-config.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/sendgrid-config.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKi", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "28c5bbe7a425555932aced866c97cfff7c4f4551", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid-config.zip", "request_line": "GET \/sendgrid-config.zip HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid-config.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKi", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid-config.zip", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid-config.zip", "request_line": "GET \/sendgrid-config.zip HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid-config.zip", "evidence_snippet": "GET \/sendgrid-config.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKi", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_backup_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /sendgrid_export.zip	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid_export.zip UA Mozilla/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit/5… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_backup_path net_flood Cible HTTP GET /sendgrid_export.zip TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /sendgrid_export.zip Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid_export.zip HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid_export.zip HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWeb Requête brute (extrait) GET /sendgrid_export.zip HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connecti Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "zip", "http_ua_hash": "daef42a21df445f94f682246a0f12c5c5ec788d7", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "160f5154472d977883d1316e9a9b90367f503d6b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 269, "payload_entropy": 5.4173131775657755, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4746ab84d629e04ba902615840f91305535047d3", "event_fingerprint": "4517ba4cd9d1c53f445dca054179f459b7d6de26", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c6b3619039704febe848287f0873e60d", "payload_hash": "17a3f9ff92647cf9087c16d3d3fa43fd", "path_pattern_hash": "9decc2f8b30afb9a3d5869e83dc4cca1" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/sendgrid_export.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWeb", "method": "GET", "path": "\/sendgrid_export.zip", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid_export.zip HTTP\/1.1", "request_sample": "GET \/sendgrid_export.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/sendgrid_export.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWeb", "evidence": { "method": "GET", "path": "\/sendgrid_export.zip", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid_export.zip HTTP\/1.1", "request_sample": "GET \/sendgrid_export.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/sendgrid_export.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWeb", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "562855dcea27df2f57cf0f5974c5b3ecec10066c", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid_export.zip", "request_line": "GET \/sendgrid_export.zip HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Mobile Sa\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid_export.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWeb", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid_export.zip", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid_export.zip", "request_line": "GET \/sendgrid_export.zip HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Mobile Sa\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid_export.zip", "evidence_snippet": "GET \/sendgrid_export.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWeb", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_backup_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /sendgrid-export.zip	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid-export.zip UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_backup_path net_flood Cible HTTP GET /sendgrid-export.zip TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /sendgrid-export.zip Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid-export.zip HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid-export.zip HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537. Requête brute (extrait) GET /sendgrid-export.zip HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "zip", "http_ua_hash": "fb35aa6d075efbf6c20bdfab4a318bb13334b704", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "a6f9fe5fc84f3a058c72c0a88afe4f6820a7fbd9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.40422212996436, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4746ab84d629e04ba902615840f91305535047d3", "event_fingerprint": "96d8fda9769be7521d163f8b528a8616d8d09c1c", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b80f036707f051ea52220d84e31704a2", "payload_hash": "f4125d9b17c0cb9da494503f1f914409", "path_pattern_hash": "45f524e0a6d936db8071087e24bd1d07" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/sendgrid-export.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "method": "GET", "path": "\/sendgrid-export.zip", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.78 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid-export.zip HTTP\/1.1", "request_sample": "GET \/sendgrid-export.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.78 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid-export.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/sendgrid-export.zip", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.78 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid-export.zip HTTP\/1.1", "request_sample": "GET \/sendgrid-export.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.78 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid-export.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fe611b07bf55cec438521ff191f5a556e071cde9", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid-export.zip", "request_line": "GET \/sendgrid-export.zip HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.78 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid-export.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid-export.zip", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid-export.zip", "request_line": "GET \/sendgrid-export.zip HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.78 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid-export.zip", "evidence_snippet": "GET \/sendgrid-export.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_backup_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /backup/sendgrid.zip	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /backup/sendgrid.zip UA Mozilla/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit/537.36… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_backup_file_scan Cible HTTP GET /backup/sendgrid.zip TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /backup/sendgrid.zip Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backup/sendgrid.zip HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /backup/sendgrid.zip HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit/5 Requête brute (extrait) GET /backup/sendgrid.zip HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: c Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "zip", "http_ua_hash": "debb15a7d68aa336bc36ec7e628a2911a37d6393", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "bc78228202ebe735ae602afdaf3bbcc304d9ad43", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 264, "payload_entropy": 5.392814221448947, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 7, "anomaly_count": 0, "campaign_key": "2ebba70cb0720d1e2d2857e195c7e7d77b8a6021", "event_fingerprint": "e412c7b96722c35296f0c9a3be8f5c232292e7cf", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d60e0586986b6a343b0c6e2f32127712", "payload_hash": "ad6c5355396b488778073f211ff3a080", "path_pattern_hash": "e58a3cc3a6da96914e9d5978432008f5" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/backup\/sendgrid.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/5", "method": "GET", "path": "\/backup\/sendgrid.zip", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backup\/sendgrid.zip HTTP\/1.1", "request_sample": "GET \/backup\/sendgrid.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/backup\/sendgrid.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/backup\/sendgrid.zip", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backup\/sendgrid.zip HTTP\/1.1", "request_sample": "GET \/backup\/sendgrid.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/backup\/sendgrid.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/5", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "574dc07cb706e85f8ce1ca82e3968805b49d6926", "protocol_details": { "http_method": "GET", "http_path": "\/backup\/sendgrid.zip", "request_line": "GET \/backup\/sendgrid.zip HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backup\/sendgrid.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/5", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backup\/sendgrid.zip", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/backup\/sendgrid.zip", "request_line": "GET \/backup\/sendgrid.zip HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backup\/sendgrid.zip", "evidence_snippet": "GET \/backup\/sendgrid.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/5", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_backup_file_scan", "http_backup_path", "http_probe_backup", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /backup/dump.sql	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /backup/dump.sql UA Mozilla/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit/537.3… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_backup_file_scan Cible HTTP GET /backup/dump.sql TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /backup/dump.sql Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI SQL dump file Ligne de requête `GET /backup/dump.sql HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.5 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /backup/dump.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit/537. Requête brute (extrait) GET /backup/dump.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.5 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "sql", "http_ua_hash": "15b1881e1bb76a642b3b99a3ef7873b63f2f7159", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "c38d2c8d89f88b7fc6ca9708a6bc5ed997b0b0c7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.465484088926851, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 7, "anomaly_count": 0, "campaign_key": "2ebba70cb0720d1e2d2857e195c7e7d77b8a6021", "event_fingerprint": "9495c077f73f0c228916d8d4a5db74b650b451cb", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0132" ], "matched_pattern_names": [ "LFI SQL dump file" ], "pattern_ids": [ "pat-0132" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6a2a45e8c2910671a89c961f16277ac7", "payload_hash": "bc054cfdc4f0ba1a33feb9f65098aa8f", "path_pattern_hash": "6439d20f0bda2dafc25af344ff41d4ad" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/backup\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/537.", "method": "GET", "path": "\/backup\/dump.sql", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.5 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backup\/dump.sql HTTP\/1.1", "request_sample": "GET \/backup\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.5 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/backup\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/backup\/dump.sql", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.5 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backup\/dump.sql HTTP\/1.1", "request_sample": "GET \/backup\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.5 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/backup\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/537.", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "46f55c8d330c0574650058a79ea2f2363787a541", "protocol_details": { "http_method": "GET", "http_path": "\/backup\/dump.sql", "request_line": "GET \/backup\/dump.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.5 Mobile Safari\/5\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backup\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/537.", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backup\/dump.sql", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/backup\/dump.sql", "request_line": "GET \/backup\/dump.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.5 Mobile Safari\/5\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backup\/dump.sql", "evidence_snippet": "GET \/backup\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6013) AppleWebKit\/537.", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_backup_file_scan", "http_backup_path", "http_probe_backup", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /backup/db.sql	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /backup/db.sql UA Mozilla/5.0 (Linux; U; Android 1.5; en-us; sdk Build/CUPCAKE) A… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_backup_file_scan Cible HTTP GET /backup/db.sql TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /backup/db.sql Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backup/db.sql HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 1.5; en-us; sdk Build/CUPCAKE) AppleWebkit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /backup/db.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-us; sdk Build/CUPCAKE) Ap Requête brute (extrait) GET /backup/db.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-us; sdk Build/CUPCAKE) AppleWebkit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connect Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "sql", "http_ua_hash": "ab48b72c0a6eee0aa9986264dd514c99cad2fbd5", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "8bb196ad89dc8f3148fb8df551b5c4fd3ee16e0e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 270, "payload_entropy": 5.372880166926048, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 7, "anomaly_count": 0, "campaign_key": "2ebba70cb0720d1e2d2857e195c7e7d77b8a6021", "event_fingerprint": "fed422e85c665a3520ff1ef67223506c41229a78", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8e63a6d9611cab20c06527104cc8dbd2", "payload_hash": "b1f4f79f888f9ebd3cc08e1d18e80231", "path_pattern_hash": "abff284fbaed0891425594f9e2d944cb" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/backup\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAKE) Ap", "method": "GET", "path": "\/backup\/db.sql", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAKE) AppleWebkit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backup\/db.sql HTTP\/1.1", "request_sample": "GET \/backup\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAKE) AppleWebkit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/backup\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAKE) Ap", "evidence": { "method": "GET", "path": "\/backup\/db.sql", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAKE) AppleWebkit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backup\/db.sql HTTP\/1.1", "request_sample": "GET \/backup\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAKE) AppleWebkit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/backup\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAKE) Ap", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2694ed6a31a82fac36b911caf833d1562dd056e7", "protocol_details": { "http_method": "GET", "http_path": "\/backup\/db.sql", "request_line": "GET \/backup\/db.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAKE) AppleWebkit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobi\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backup\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAKE) Ap", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backup\/db.sql", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/backup\/db.sql", "request_line": "GET \/backup\/db.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAKE) AppleWebkit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobi\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backup\/db.sql", "evidence_snippet": "GET \/backup\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; sdk Build\/CUPCAKE) Ap", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_backup_file_scan", "http_backup_path", "http_probe_backup", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /sql/dump.sql	Élevée	Élevé · 71
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /sql/dump.sql UA Mozilla/5.0 (Linux; Android 6.0.1; MI 5 Build/MXB48T; wv) Apple… Émulateur HTTP WAF 26 Recommandation Investiguer Tags 950086:sqli-21 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /sql/dump.sql TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /sql/dump.sql Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 71 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI SQL dump file Ligne de requête `GET /sql/dump.sql HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 6.0.1; MI 5 Build/MXB48T; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044807 Mobile Safari/537.36 MMWEBID/3072 MicroMess… Règles WAF sqli-21 rce-0 nosqli-3 Payload (extrait) GET /sql/dump.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; MI 5 Build/MXB48T; wv) AppleWe Requête brute (extrait) GET /sql/dump.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; MI 5 Build/MXB48T; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044807 Mobile Safari/537.36 MMWEBID/3072 Mic Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "sql", "http_ua_hash": "2ad97a32b094802429e8cd0cdb324fc946455262", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "2178f66a414b08eb6ab0f320bed424734133eba3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 401, "payload_entropy": 5.5694738981815854, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 71, "tag_count": 8, "anomaly_count": 0, "campaign_key": "afcd5a4874e95aa569469dd32a2c5b4dbac1e66b", "event_fingerprint": "ff78a780e6e249f847dcedfbf10515914432b606", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0132" ], "matched_pattern_names": [ "LFI SQL dump file" ], "pattern_ids": [ "pat-0132" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "626a4dd1550738d3881c5021a33dce89", "payload_hash": "5582bb002cb059df0c01b6dfc667dea9", "path_pattern_hash": "97c7fc31bec015bed7bc084362f6f973" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 71 }, "payload_preview": "GET \/sql\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWe", "method": "GET", "path": "\/sql\/dump.sql", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/3072 MicroMessenger\/7.0.3.1400(0x2700033C) Process\/tools NetType\/WIFI \u2026", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3" ], "request_line": "GET \/sql\/dump.sql HTTP\/1.1", "request_sample": "GET \/sql\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/3072 Mic", "payload_snippet": "GET \/sql\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWe", "evidence": { "method": "GET", "path": "\/sql\/dump.sql", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/3072 MicroMessenger\/7.0.3.1400(0x2700033C) Process\/tools NetType\/WIFI \u2026", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3" ], "request_line": "GET \/sql\/dump.sql HTTP\/1.1", "request_sample": "GET \/sql\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/3072 Mic", "payload_snippet": "GET \/sql\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWe", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1b70abfea8f1320abd829ddaf6cfb2fd4fa30e65", "protocol_details": { "http_method": "GET", "http_path": "\/sql\/dump.sql", "request_line": "GET \/sql\/dump.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sql\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWe", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sql\/dump.sql", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 71 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 71, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sql\/dump.sql", "request_line": "GET \/sql\/dump.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sql\/dump.sql", "evidence_snippet": "GET \/sql\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWe", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950086:sqli-21", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_backup_file_scan", "http_backup_path", "http_probe_sql", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → nc3:	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole Y?\] nc3: JA3 19e29534fd49dd27 Émulateur HTTP WAF 0 Recommandation Investiguer Tags http_no_ua net_flood net_slowloris Cible HTTP Y?\] nc3: TLS SNI — Capteur paris-1
Preuve / Evidence Méthode Y?\] Port 8080 Chemin / cible nc3: Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ Ligne de requête `Y?\] nc3: HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) ��Y?��\��]� n�c��3:�� ش2l ��8��,@v�� i �&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Y?��\��]� n�c��3:�� ش2l ��8��,@v�� i �&�+�/�,�0̨̩� �� /5� w �+3&$ L��ގ��?��Pչn�G27W1>��g Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 0, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "d447b4a59e2e6034c37a1e7c5d81c095d4ed988d", "http_referer_hash": null, "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003Y?\u0018\u0014\\]", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 239, "payload_entropy": 5.8347579012048065, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5f9217dc41d7e020be5cfe6a650da409c7f9f55c", "event_fingerprint": "ddf071b6b0735b5d8606783907fae022bbfc8b88", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "da375b1e3b6f738ea3d7589758b81486", "path_pattern_hash": "083259c257fd514c0a7a866601cd0d43", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003Y?\u0018\u0014\\]", "path": "nc3:\u001b", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003Y?\u0018\u0014\\] nc3:\u001b HTTP\/1.1", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdY?\u0018\ufffd\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd]\ufffd\r\fn\ufffdc\ufffd\ufffd3:\ufffd\ufffd\u001b\ufffd \u06342l \ufffd\ufffd\u001a\ufffd\u0015\ufffd\ufffd\ufffd8\u0018\ufffd\u0017\u000e\ufffd\ufffd\ufffd\ufffd,@v\ufffd\ufffd\ufffd\ri \ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003Y?\u0018\u0014\\]", "path": "nc3:\u001b", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003Y?\u0018\u0014\\] nc3:\u001b HTTP\/1.1", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdY?\u0018\ufffd\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd]\ufffd\r\fn\ufffdc\ufffd\ufffd3:\ufffd\ufffd\u001b\ufffd \u06342l \ufffd\ufffd\u001a\ufffd\u0015\ufffd\ufffd\ufffd8\u0018\ufffd\u0017\u000e\ufffd\ufffd\ufffd\ufffd,@v\ufffd\ufffd\ufffd\ri \ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 L\ufffd\ufffd\u078e\u0013\ufffd\u0011\ufffd?\u001c\ufffd\ufffdP\u0579n\ufffdG27\u0000W\u00151>\ufffd\ufffd\ufffdg", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdY?\u0018\ufffd\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd]\ufffd\r\fn\ufffdc\ufffd\ufffd3:\ufffd\ufffd\u001b\ufffd \u06342l \ufffd\ufffd\u001a\ufffd\u0015\ufffd\ufffd\ufffd8\u0018\ufffd\u0017\u000e\ufffd\ufffd\ufffd\ufffd,@v\ufffd\ufffd\ufffd\ri \ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "037863247c2b4d354a6cfd3329cd8f65c77bd9bc", "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003Y?\u0018\u0014\\]", "http_path": "nc3:\u001b", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003Y?\u0018\u0014\\] nc3:\u001b HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdY?\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd]\ufffd\rn\ufffdc\ufffd\ufffd3:\ufffd\ufffd\ufffd \u06342l \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd,@v\ufffd\ufffd\ufffd\ri \ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 nc3:\u001b", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003Y?\u0018\u0014\\]", "http_path": "nc3:\u001b", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003Y?\u0018\u0014\\] nc3:\u001b HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 nc3:\u001b", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdY?\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd]\ufffd\rn\ufffdc\ufffd\ufffd3:\ufffd\ufffd\ufffd \u06342l \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd,@v\ufffd\ufffd\ufffd\ri \ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_no_ua", "net_flood", "net_slowloris" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /sql/backup.sql	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /sql/backup.sql UA Mozilla/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit/537.… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_backup_file_scan Cible HTTP GET /sql/backup.sql TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /sql/backup.sql Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI SQL backup dump Ligne de requête `GET /sql/backup.sql HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sql/backup.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit/537. Requête brute (extrait) GET /sql/backup.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "sql", "http_ua_hash": "f3835d35cd2637e9a5d15acde80637dcb0ee57ff", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "f0de98609d8acec987898ead4afa508604465543", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.422293149930135, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 7, "anomaly_count": 0, "campaign_key": "1c73869cd8fa57827a76c1c75317b2f135c295ea", "event_fingerprint": "be6e782c08a5e5b71731adfdd111efbc0e26ce3a", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0131" ], "matched_pattern_names": [ "LFI SQL backup dump" ], "pattern_ids": [ "pat-0131" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1e64156bbeb33a5302cb2a2ca45ba91b", "payload_hash": "d691a14a0372456ae6c799d647b05578", "path_pattern_hash": "9a79585f3b83c71b1103cb2cf8836f4d" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/sql\/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/537.", "method": "GET", "path": "\/sql\/backup.sql", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sql\/backup.sql HTTP\/1.1", "request_sample": "GET \/sql\/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/sql\/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/sql\/backup.sql", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sql\/backup.sql HTTP\/1.1", "request_sample": "GET \/sql\/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/sql\/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/537.", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "67d0e6b2dbe8c506c1f69a34f1e6babd00b04bf0", "protocol_details": { "http_method": "GET", "http_path": "\/sql\/backup.sql", "request_line": "GET \/sql\/backup.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safar\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sql\/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/537.", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sql\/backup.sql", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sql\/backup.sql", "request_line": "GET \/sql\/backup.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safar\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sql\/backup.sql", "evidence_snippet": "GET \/sql\/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/537.", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_backup_file_scan", "http_backup_path", "http_probe_sql", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /backups/dump.sql	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /backups/dump.sql UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_backup_file_scan Cible HTTP GET /backups/dump.sql TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /backups/dump.sql Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI SQL dump file Ligne de requête `GET /backups/dump.sql HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3887.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /backups/dump.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /backups/dump.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3887.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "sql", "http_ua_hash": "9c901fc90cec65e9c437a5c159b057ea26d0a3b2", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "b9a718029359bb136a4e7253c509a48cf8d0c4d1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 249, "payload_entropy": 5.444578262157129, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 7, "anomaly_count": 0, "campaign_key": "540e29a5725fff60862aa506423c5929516be84d", "event_fingerprint": "359ba0c2bdeccfe68a65c1d73b4ce1187ded8b4a", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0132" ], "matched_pattern_names": [ "LFI SQL dump file" ], "pattern_ids": [ "pat-0132" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6da193ba001c53441a3e1f1fa1205dc4", "payload_hash": "cbaa953931feb6533f8b39d49b71c449", "path_pattern_hash": "cfb2d5886f070579668a7acef36a514e" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/backups\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 ", "method": "GET", "path": "\/backups\/dump.sql", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backups\/dump.sql HTTP\/1.1", "request_sample": "GET \/backups\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backups\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/backups\/dump.sql", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backups\/dump.sql HTTP\/1.1", "request_sample": "GET \/backups\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backups\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "52521a813c5c644831f4155def146160e077c25b", "protocol_details": { "http_method": "GET", "http_path": "\/backups\/dump.sql", "request_line": "GET \/backups\/dump.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.0 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backups\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backups\/dump.sql", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/backups\/dump.sql", "request_line": "GET \/backups\/dump.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3887.0 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backups\/dump.sql", "evidence_snippet": "GET \/backups\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_backup_file_scan", "http_backup_path", "http_probe_backups", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /email.zip	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /email.zip UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_backup_path net_flood Cible HTTP GET /email.zip TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /email.zip Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /email.zip HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /email.zip HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET /email.zip HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "zip", "http_ua_hash": "4e40b754177d1f49692ed041d7676835db2f8a37", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "b660149700140cee4afebf83f77d5a0f895797b8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 238, "payload_entropy": 5.427103900456961, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4746ab84d629e04ba902615840f91305535047d3", "event_fingerprint": "aee4d2234b9c76fd56e203e45ffa078f81f63100", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7697b1a321cff681099e6e1cb67176ea", "payload_hash": "d9ce7efa462971b800c8fa6493a1e72a", "path_pattern_hash": "3340fa734c264c64ab0b6a4f6157bbad" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/email.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like ", "method": "GET", "path": "\/email.zip", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/email.zip HTTP\/1.1", "request_sample": "GET \/email.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/email.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like", "evidence": { "method": "GET", "path": "\/email.zip", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/email.zip HTTP\/1.1", "request_sample": "GET \/email.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/email.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a00d14ec5b974fdf8aad5a3aadb824bf4aa5c02f", "protocol_details": { "http_method": "GET", "http_path": "\/email.zip", "request_line": "GET \/email.zip HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/email.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/email.zip", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/email.zip", "request_line": "GET \/email.zip HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/email.zip", "evidence_snippet": "GET \/email.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_backup_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /backups/db.sql	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /backups/db.sql UA Mozilla/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build/KOT49… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_backup_file_scan Cible HTTP GET /backups/db.sql TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /backups/db.sql Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backups/db.sql HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.94 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /backups/db.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build/KOT49 Requête brute (extrait) GET /backups/db.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.94 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "sql", "http_ua_hash": "63a22d7857e8fbf458d3c716bbd3154c0b5b9302", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "745cccfc29784ae14276e19ae16a5d552a0c02e1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 279, "payload_entropy": 5.521004848275399, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 7, "anomaly_count": 0, "campaign_key": "540e29a5725fff60862aa506423c5929516be84d", "event_fingerprint": "070d2276706007a32562b9ade58518d5f978dc00", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5e506919050a6c76e98fe278e0170eb6", "payload_hash": "7dc4cc661da4dcb9d89099dec4c8a4a8", "path_pattern_hash": "2ceaf5f42361626ea8ede1436fb78184" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/backups\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49", "method": "GET", "path": "\/backups\/db.sql", "user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49H) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.94 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backups\/db.sql HTTP\/1.1", "request_sample": "GET \/backups\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49H) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.94 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip", "payload_snippet": "GET \/backups\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49", "evidence": { "method": "GET", "path": "\/backups\/db.sql", "user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49H) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.94 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backups\/db.sql HTTP\/1.1", "request_sample": "GET \/backups\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49H) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.94 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip", "payload_snippet": "GET \/backups\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "814ffc639d3479bf40db99bd52bf0732e1a85cf4", "protocol_details": { "http_method": "GET", "http_path": "\/backups\/db.sql", "request_line": "GET \/backups\/db.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49H) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.24\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backups\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backups\/db.sql", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/backups\/db.sql", "request_line": "GET \/backups\/db.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49H) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.24\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backups\/db.sql", "evidence_snippet": "GET \/backups\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_backup_file_scan", "http_backup_path", "http_probe_backups", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /sql/db.sql	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /sql/db.sql UA Mozilla/5.0 (X11; U; Linux i686; en-gb) AppleWebKit/534.35 (KHT… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_backup_path Cible HTTP GET /sql/db.sql TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /sql/db.sql Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sql/db.sql HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux i686; en-gb) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.0.5603M Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sql/db.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-gb) AppleWebKit/534.35 (KHTML, Requête brute (extrait) GET /sql/db.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-gb) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.0.5603M Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "sql", "http_ua_hash": "1d403745579fa3699d01a78424929aaa5c8780de", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "16807f0ba9f68bc542a56bd11d2c9d32cf150e4f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.432909369237971, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 6, "anomaly_count": 0, "campaign_key": "e1227823acb30d4f43fc2dd8d25e48d203fb6be0", "event_fingerprint": "75f23a773ae3153b5829d718e25b89ee626b0921", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6f2590d9e4a37cc2c0b7f413d7d47030", "payload_hash": "ac226f95e457966c25d540a4038e88b7", "path_pattern_hash": "637147c21bb5796a7836f407b84cd50f" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/sql\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTML, ", "method": "GET", "path": "\/sql\/db.sql", "user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/2.0.5603M", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sql\/db.sql HTTP\/1.1", "request_sample": "GET \/sql\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/2.0.5603M\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/sql\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTML,", "evidence": { "method": "GET", "path": "\/sql\/db.sql", "user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/2.0.5603M", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sql\/db.sql HTTP\/1.1", "request_sample": "GET \/sql\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/2.0.5603M\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/sql\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTML,", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "69e93d9a80da94db2de14e1794cf9ddf628bb821", "protocol_details": { "http_method": "GET", "http_path": "\/sql\/db.sql", "request_line": "GET \/sql\/db.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sql\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sql\/db.sql", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sql\/db.sql", "request_line": "GET \/sql\/db.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sql\/db.sql", "evidence_snippet": "GET \/sql\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-gb) AppleWebKit\/534.35 (KHTML,", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_backup_path", "http_probe_sql", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /tmp/dump.sql	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /tmp/dump.sql UA SonyEricssonW580i/R6BC Browser/NetFront/3.3 Profile/MIDP-2.0 Co… Émulateur HTTP WAF 12 Recommandation Investiguer Tags 950468:nosqli-3 950470:nosqli-3 http_backup_file_scan http_backup_path Cible HTTP GET /tmp/dump.sql TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /tmp/dump.sql Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI SQL dump file Ligne de requête `GET /tmp/dump.sql HTTP/1.1` User-Agent SonyEricssonW580i/R6BC Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 Règles WAF nosqli-3 Payload (extrait) GET /tmp/dump.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: SonyEricssonW580i/R6BC Browser/NetFront/3.3 Profile/MIDP-2.0 Conf Requête brute (extrait) GET /tmp/dump.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: SonyEricssonW580i/R6BC Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "sql", "http_ua_hash": "0a2a6e381b4e8347dd10f0b771da99a36948c454", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "89ce78f795e1c71e3506326d2062bbac788ca9cc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 215, "payload_entropy": 5.30395547574451, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 56, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 55, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ae0da5a39886de1a30c47556e574c6ce12575a23", "event_fingerprint": "4c51e7f8d111bbb7b0999da6e48d9a82dcd0b53c", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0132" ], "matched_pattern_names": [ "LFI SQL dump file" ], "pattern_ids": [ "pat-0132" ], "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58ceef08d6bf010bb55668116df85616", "payload_hash": "ca12be9fe742d7983416894624a3c996", "path_pattern_hash": "8a69f9a625fc3a0068f6cf0cf5d1e1d9" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/tmp\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Conf", "method": "GET", "path": "\/tmp\/dump.sql", "user_agent": "SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/tmp\/dump.sql HTTP\/1.1", "request_sample": "GET \/tmp\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/tmp\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Conf", "evidence": { "method": "GET", "path": "\/tmp\/dump.sql", "user_agent": "SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/tmp\/dump.sql HTTP\/1.1", "request_sample": "GET \/tmp\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/tmp\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Conf", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b0b0ea82ea4ee802ec2ff7d69c285b0317e5a37d", "protocol_details": { "http_method": "GET", "http_path": "\/tmp\/dump.sql", "request_line": "GET \/tmp\/dump.sql HTTP\/1.1", "http_user_agent": "SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/tmp\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Conf", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/tmp\/dump.sql", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/tmp\/dump.sql", "request_line": "GET \/tmp\/dump.sql HTTP\/1.1", "http_user_agent": "SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/tmp\/dump.sql", "evidence_snippet": "GET \/tmp\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: SonyEricssonW580i\/R6BC Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Conf", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 56 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950470:nosqli-3", "http_backup_file_scan", "http_backup_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /exports/db.sql	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /exports/db.sql UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_backup_path Cible HTTP GET /exports/db.sql TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /exports/db.sql Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /exports/db.sql HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 YaBrowser/19.7.2.516 Yowser/2.5 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /exports/db.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /exports/db.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 YaBrowser/19.7.2.516 Yowser/2.5 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Co Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "sql", "http_ua_hash": "731ca9d98f6cde1233b23f134a9451689809a867", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "7412f9d3eb1cad1ed9706d8922f2f565856876d9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 275, "payload_entropy": 5.462819851822737, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "4d24acc417070bc88ccb1252c0a570ce75b465de", "event_fingerprint": "fa1ae16e035179ac319ea9966ed2e348ace44a24", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8289d1bf23603356656d3e7bf2d579f9", "payload_hash": "dc85f8a3dd7c1222fe3dddb6ff43a20c", "path_pattern_hash": "0d8e86ab2d4fe223c68ef029e393710d" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/exports\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/exports\/db.sql", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/exports\/db.sql HTTP\/1.1", "request_sample": "GET \/exports\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "payload_snippet": "GET \/exports\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/exports\/db.sql", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/exports\/db.sql HTTP\/1.1", "request_sample": "GET \/exports\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "payload_snippet": "GET \/exports\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61408d943cd848e7f124139a5a77fce9df977133", "protocol_details": { "http_method": "GET", "http_path": "\/exports\/db.sql", "request_line": "GET \/exports\/db.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Yo\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/exports\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/exports\/db.sql", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/exports\/db.sql", "request_line": "GET \/exports\/db.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Yo\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/exports\/db.sql", "evidence_snippet": "GET \/exports\/db.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_backup_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8080 · (tentative d'exploit) · → /config.php	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /config.php UA Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_probe_config http_sensitive_path Cible HTTP GET /config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /config.php Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Generic config.php Ligne de requête `GET /config.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /config.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "83e83b3c8bfcc99a7579c2bbadd3338a1cad80bb", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "b7e629c2fbd3802ae94e18b330925fd1c8118dc3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 262, "payload_entropy": 5.421917015656788, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 55, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3a3205aea23b46dc863e5c45b0896cd521209151", "event_fingerprint": "61ba5bac23f590efd3c62f5beed10a4aed56f9d3", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0118" ], "matched_pattern_names": [ "LFI Generic config.php" ], "pattern_ids": [ "pat-0118" ], "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 55 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ae8321b96ff12971932a6f741a2a934d", "payload_hash": "e05bf942f48209b41e2c7eed1013f6f1", "path_pattern_hash": "92fece0ebcf69fadf688bf735b18a081" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.php HTTP\/1.1", "request_sample": "GET \/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.php HTTP\/1.1", "request_sample": "GET \/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2f01839c115458d106d38761cb9c4877e0aaee8b", "protocol_details": { "http_method": "GET", "http_path": "\/config.php", "request_line": "GET \/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "config file probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.php", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/config.php", "request_line": "GET \/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.php", "evidence_snippet": "GET \/config.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_probe_config", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /tmp/backup.sql	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /tmp/backup.sql UA Mozilla/5.0 (Linux; Android 8.1.0; Phone 2) AppleWebKit/537.36 … Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_backup_file_scan Cible HTTP GET /tmp/backup.sql TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /tmp/backup.sql Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI SQL backup dump Ligne de requête `GET /tmp/backup.sql HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; Phone 2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /tmp/backup.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Phone 2) AppleWebKit/537.36 Requête brute (extrait) GET /tmp/backup.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Phone 2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "sql", "http_ua_hash": "406eb81ad0f9cf031a58481327ceae6827edffe0", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "9fce8eac08d29ae761c7548d1c687342816196aa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.400739480532604, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 6, "anomaly_count": 0, "campaign_key": "0d8d250b31f6351080e3547b6f3e104d13c92c64", "event_fingerprint": "0a425512a2a92cd2e127ffd448bda4a0a68ca7c0", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0131" ], "matched_pattern_names": [ "LFI SQL backup dump" ], "pattern_ids": [ "pat-0131" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d8cd6c67bae736fdd5cbc1e58837c5b4", "payload_hash": "4b8c2fd1446b49572d331b996fafee23", "path_pattern_hash": "6d534771e313b6069b3d967cca34e275" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/tmp\/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Phone 2) AppleWebKit\/537.36 ", "method": "GET", "path": "\/tmp\/backup.sql", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Phone 2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/tmp\/backup.sql HTTP\/1.1", "request_sample": "GET \/tmp\/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Phone 2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/tmp\/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Phone 2) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/tmp\/backup.sql", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Phone 2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/tmp\/backup.sql HTTP\/1.1", "request_sample": "GET \/tmp\/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Phone 2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/tmp\/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Phone 2) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d1dfcc797bc1d0ac9a07ca53090b61b2b91ed437", "protocol_details": { "http_method": "GET", "http_path": "\/tmp\/backup.sql", "request_line": "GET \/tmp\/backup.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Phone 2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/5\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/tmp\/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Phone 2) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/tmp\/backup.sql", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/tmp\/backup.sql", "request_line": "GET \/tmp\/backup.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Phone 2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/5\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/tmp\/backup.sql", "evidence_snippet": "GET \/tmp\/backup.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Phone 2) AppleWebKit\/537.36", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_backup_file_scan", "http_backup_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8080 · (tentative d'exploit) · → /config.json	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /config.json UA Mozilla/5.0 (Windows; U; Windows NT 6.0 x64; en-US; rv:1.9pre) … Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /config.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 54 Confiance : Confiance 100 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive pat-0247 Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /config.json Ligne de requête `GET /config.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0 x64; en-US; rv:1.9pre) Gecko/2008072421 Minefield/3.0.2pre Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0 x64; en-US; rv:1.9pre) Gec Requête brute (extrait) GET /config.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0 x64; en-US; rv:1.9pre) Gecko/2008072421 Minefield/3.0.2pre Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "6675bf58dd7577cbd16eb41011314c00b4ce9efa", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "110dc2bb220538a9df6ea13fd8474a5056c773dc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 229, "payload_entropy": 5.311700237479371, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "771b7e71d5f31fba2d1636f10c5ce0a9bfec6cbd", "event_fingerprint": "606fbb0ea76f03219065fcbb34cd9a9d36f3b235", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 182, "precision_signals": [ "INT-http_sensitive", "pat-0247", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "pat-0247", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0247" ], "matched_pattern_names": [ "Probe \/config.json" ], "pattern_ids": [ "pat-0247" ], "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 54 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1358eb518be9e8b41bb24622b0996923", "payload_hash": "eb04c90a8555cc58104f7e1466bfe3cf", "path_pattern_hash": "b2ebf86a95e6e198c8d34ea73388c4ce" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0 x64; en-US; rv:1.9pre) Gec", "method": "GET", "path": "\/config.json", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.0 x64; en-US; rv:1.9pre) Gecko\/2008072421 Minefield\/3.0.2pre", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.json HTTP\/1.1", "request_sample": "GET \/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0 x64; en-US; rv:1.9pre) Gecko\/2008072421 Minefield\/3.0.2pre\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0 x64; en-US; rv:1.9pre) Gec", "evidence": { "method": "GET", "path": "\/config.json", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.0 x64; en-US; rv:1.9pre) Gecko\/2008072421 Minefield\/3.0.2pre", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.json HTTP\/1.1", "request_sample": "GET \/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0 x64; en-US; rv:1.9pre) Gecko\/2008072421 Minefield\/3.0.2pre\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0 x64; en-US; rv:1.9pre) Gec", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e35e74c14664451a156cb4b3fb4dd2e000ba568e", "protocol_details": { "http_method": "GET", "http_path": "\/config.json", "request_line": "GET \/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.0 x64; en-US; rv:1.9pre) Gecko\/2008072421 Minefield\/3.0.2pre", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0 x64; en-US; rv:1.9pre) Gec", "attack_vector": "config file probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.json", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 54 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "pat-0247", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "pat-0247", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/config.json", "request_line": "GET \/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.0 x64; en-US; rv:1.9pre) Gecko\/2008072421 Minefield\/3.0.2pre", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.json", "evidence_snippet": "GET \/config.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0 x64; en-US; rv:1.9pre) Gec", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /config.ini	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /config.ini UA Mozilla/5.0 (OS/2; Warp 4.5; rv:45.0) Gecko/20100101 Firefox/45… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /config.ini TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /config.ini Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Élevé · 66 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config.ini HTTP/1.1` User-Agent Mozilla/5.0 (OS/2; Warp 4.5; rv:45.0) Gecko/20100101 Firefox/45.0 SeaMonkey/2.42.9esr Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /config.ini HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:45.0) Gecko/20100101 Firefox/45.0 S Requête brute (extrait) GET /config.ini HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:45.0) Gecko/20100101 Firefox/45.0 SeaMonkey/2.42.9esr Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ini", "http_ua_hash": "fbfeb061a17a67387fddf78e72d6aecd0ca45bb9", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "fee43af2e95ac79d34775622c23b1b134a71e847", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 215, "payload_entropy": 5.289548371295267, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 92, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 66, "tag_count": 4, "anomaly_count": 0, "campaign_key": "17d2d8b15cff3f787bc983f3de42f2e6ec43f19b", "event_fingerprint": "768fa0bfc6b7e35789c97932235cf58d63d3cafb", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 66 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6bf7c869476b4b782705baafb658da2d", "payload_hash": "407904ed22b1faa16775828b412d36f8", "path_pattern_hash": "8685ef98b1e7f07ec07502b255d7dc71" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/config.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0 S", "method": "GET", "path": "\/config.ini", "user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0 SeaMonkey\/2.42.9esr", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/config.ini HTTP\/1.1", "request_sample": "GET \/config.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0 SeaMonkey\/2.42.9esr\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0 S", "evidence": { "method": "GET", "path": "\/config.ini", "user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0 SeaMonkey\/2.42.9esr", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/config.ini HTTP\/1.1", "request_sample": "GET \/config.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0 SeaMonkey\/2.42.9esr\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0 S", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "00d5749105d4fc7dffcbe0610fc7bd088020f6c0", "protocol_details": { "http_method": "GET", "http_path": "\/config.ini", "request_line": "GET \/config.ini HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0 SeaMonkey\/2.42.9esr", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0 S", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.ini", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 66 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/config.ini", "request_line": "GET \/config.ini HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0 SeaMonkey\/2.42.9esr", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.ini", "evidence_snippet": "GET \/config.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0 S", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /config.yaml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /config.yaml UA Mozilla/5.0 (Linux; Android 9; COL-L29) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /config.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /config.yaml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; COL-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config.yaml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; COL-L29) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /config.yaml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; COL-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "a7adbc6c50877ad0889851c6d3849498adc7bb64", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "ffa41e7ee4cc6f247a90f813aaf1a8798f7d8d0e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 251, "payload_entropy": 5.437459067741286, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9168e67c0239c315b6c53b47b1067183652c82b8", "event_fingerprint": "7a07ba64d757b8dce07f4822b8ed55d6d01cf36d", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0721c80a11d0dcf46b9e47f21bcd3d98", "payload_hash": "18592b6458c5acdc75e19f879293fca8", "path_pattern_hash": "01019d2319e003d8a4b16afde95af798" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/config.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/config.yaml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.yaml HTTP\/1.1", "request_sample": "GET \/config.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/config.yaml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.yaml HTTP\/1.1", "request_sample": "GET \/config.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0be46635e19e50d59937ffd99fc9f6bd3076b1dd", "protocol_details": { "http_method": "GET", "http_path": "\/config.yaml", "request_line": "GET \/config.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.yaml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/config.yaml", "request_line": "GET \/config.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.yaml", "evidence_snippet": "GET \/config.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML,", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /config.env	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /config.env UA POLARIS/6.01(BREW 3.1.5;U;en-us;LG;LX265;POLARIS/6.01/WAP;)MMP/… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /config.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /config.env Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Élevé · 66 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config.env HTTP/1.1` User-Agent POLARIS/6.01(BREW 3.1.5;U;en-us;LG;LX265;POLARIS/6.01/WAP;)MMP/2.0 profile/MIDP-201 Configuration /CLDC-1.1 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /config.env HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: POLARIS/6.01(BREW 3.1.5;U;en-us;LG;LX265;POLARIS/6.01/WAP;)MMP/2.0 Requête brute (extrait) GET /config.env HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: POLARIS/6.01(BREW 3.1.5;U;en-us;LG;LX265;POLARIS/6.01/WAP;)MMP/2.0 profile/MIDP-201 Configuration /CLDC-1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "env", "http_ua_hash": "4a0435d4480da23db5d7a4effa1e42aa3271e477", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "b5e089947bc292949b0abdf667f0acaae7100f85", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 237, "payload_entropy": 5.430160828724151, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 92, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 66, "tag_count": 4, "anomaly_count": 0, "campaign_key": "6ec6ad08c0d050de027a66031540ecc36486c02c", "event_fingerprint": "f14a3d613170d4192ccbfbff0199d97c314a1736", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 66 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8f9b3da601a7c969c40d85033bad0228", "payload_hash": "0f3ff08abd71d9973050c5539a5ffa78", "path_pattern_hash": "c7f71359387e6db28263403e08bcbf29" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/config.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: POLARIS\/6.01(BREW 3.1.5;U;en-us;LG;LX265;POLARIS\/6.01\/WAP;)MMP\/2.0 ", "method": "GET", "path": "\/config.env", "user_agent": "POLARIS\/6.01(BREW 3.1.5;U;en-us;LG;LX265;POLARIS\/6.01\/WAP;)MMP\/2.0 profile\/MIDP-201 Configuration \/CLDC-1.1", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/config.env HTTP\/1.1", "request_sample": "GET \/config.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: POLARIS\/6.01(BREW 3.1.5;U;en-us;LG;LX265;POLARIS\/6.01\/WAP;)MMP\/2.0 profile\/MIDP-201 Configuration \/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: POLARIS\/6.01(BREW 3.1.5;U;en-us;LG;LX265;POLARIS\/6.01\/WAP;)MMP\/2.0", "evidence": { "method": "GET", "path": "\/config.env", "user_agent": "POLARIS\/6.01(BREW 3.1.5;U;en-us;LG;LX265;POLARIS\/6.01\/WAP;)MMP\/2.0 profile\/MIDP-201 Configuration \/CLDC-1.1", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/config.env HTTP\/1.1", "request_sample": "GET \/config.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: POLARIS\/6.01(BREW 3.1.5;U;en-us;LG;LX265;POLARIS\/6.01\/WAP;)MMP\/2.0 profile\/MIDP-201 Configuration \/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: POLARIS\/6.01(BREW 3.1.5;U;en-us;LG;LX265;POLARIS\/6.01\/WAP;)MMP\/2.0", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a637223652e9b072bd06127947c437ba8aead83e", "protocol_details": { "http_method": "GET", "http_path": "\/config.env", "request_line": "GET \/config.env HTTP\/1.1", "http_user_agent": "POLARIS\/6.01(BREW 3.1.5;U;en-us;LG;LX265;POLARIS\/6.01\/WAP;)MMP\/2.0 profile\/MIDP-201 Configuration \/CLDC-1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: POLARIS\/6.01(BREW 3.1.5;U;en-us;LG;LX265;POLARIS\/6.01\/WAP;)MMP\/2.0", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.env", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 66 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/config.env", "request_line": "GET \/config.env HTTP\/1.1", "http_user_agent": "POLARIS\/6.01(BREW 3.1.5;U;en-us;LG;LX265;POLARIS\/6.01\/WAP;)MMP\/2.0 profile\/MIDP-201 Configuration \/CLDC-1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.env", "evidence_snippet": "GET \/config.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: POLARIS\/6.01(BREW 3.1.5;U;en-us;LG;LX265;POLARIS\/6.01\/WAP;)MMP\/2.0", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /configuration.json	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /configuration.json UA Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0) Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /configuration.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /configuration.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /configuration.json HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /configuration.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/ Requête brute (extrait) GET /configuration.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "008dc8415699fb90c26b0ded6c54f368a639f0d3", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "e32d404f5333e29c1e2e23b69c8ddbaaf264578b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 201, "payload_entropy": 5.258713311184379, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "c96bdab6917a73c56550f4ab76725f8311bdcbaa", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a83daec8bb9795457aa0ad37dbd69fc7", "payload_hash": "be5520421c7f582d013362cc4a3f990f", "path_pattern_hash": "88bd1f331f23c792e938b0094c3748e0" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/configuration.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/", "method": "GET", "path": "\/configuration.json", "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/4.0)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/configuration.json HTTP\/1.1", "request_sample": "GET \/configuration.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/4.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/configuration.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/", "evidence": { "method": "GET", "path": "\/configuration.json", "user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/4.0)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/configuration.json HTTP\/1.1", "request_sample": "GET \/configuration.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/4.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/configuration.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2244d05e9deaf0e290522c137c66baf58f6b0266", "protocol_details": { "http_method": "GET", "http_path": "\/configuration.json", "request_line": "GET \/configuration.json HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/4.0)", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/configuration.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/configuration.json", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/configuration.json", "request_line": "GET \/configuration.json HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/4.0)", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/configuration.json", "evidence_snippet": "GET \/configuration.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /config.yml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /config.yml UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /config.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /config.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3676.400 QQBrowser/10.4.3469.400 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, lik Requête brute (extrait) GET /config.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3676.400 QQBrowser/10.4.3469.400 Accept-Charset: utf-8 Accept-Encoding: g Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "368e9b09924cd3b25e24999e07a8f79b5c3e4c95", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "9c71a471d1741f25c6a0cf33633b97ca741711ba", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 282, "payload_entropy": 5.427813147965955, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9168e67c0239c315b6c53b47b1067183652c82b8", "event_fingerprint": "528f737e684ad7bf1f09b534fd8dde25d0334fde", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "48bf808ecb4530fe694b7fc7e0e9730a", "payload_hash": "0a3d98fb201ee14607037b2872543673", "path_pattern_hash": "0a2918ddc0ec44a5e60099bb735403f8" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "method": "GET", "path": "\/config.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3676.400 QQBrowser\/10.4.3469.400", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.yml HTTP\/1.1", "request_sample": "GET \/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3676.400 QQBrowser\/10.4.3469.400\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "payload_snippet": "GET \/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "evidence": { "method": "GET", "path": "\/config.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3676.400 QQBrowser\/10.4.3469.400", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.yml HTTP\/1.1", "request_sample": "GET \/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3676.400 QQBrowser\/10.4.3469.400\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "payload_snippet": "GET \/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a4d0b1a6e9cc527305efb628386767e7ee5e8935", "protocol_details": { "http_method": "GET", "http_path": "\/config.yml", "request_line": "GET \/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.yml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/config.yml", "request_line": "GET \/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.yml", "evidence_snippet": "GET \/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /config.js	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /config.js UA Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.15 (KHT… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /config.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /config.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config.js HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.15 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.613.0 Chrome/10.0.613.0 Safari/534.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config.js HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.15 (KHTML, l Requête brute (extrait) GET /config.js HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.15 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.613.0 Chrome/10.0.613.0 Safari/534.15 Accept-Charset: utf-8 Accept-Encoding: gzip Conne Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "1f0a450d278d2de31e98e06067cde95cbba25c83", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "67b3179b286c960b4be84ff433764afe1a997eeb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 272, "payload_entropy": 5.3677804106713864, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "601f92359b1a1654d3c00233a601bd0f41fcd522", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8a2b321c956d64d93fa52f277cdbee9b", "payload_hash": "8a043242811643c9203b5a617f6f8189", "path_pattern_hash": "0ad09149f0572f6cdaf5a224970ea0d2" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/config.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/534.15 (KHTML, l", "method": "GET", "path": "\/config.js", "user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Ubuntu\/10.10 Chromium\/10.0.613.0 Chrome\/10.0.613.0 Safari\/534.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.js HTTP\/1.1", "request_sample": "GET \/config.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Ubuntu\/10.10 Chromium\/10.0.613.0 Chrome\/10.0.613.0 Safari\/534.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne", "payload_snippet": "GET \/config.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/534.15 (KHTML, l", "evidence": { "method": "GET", "path": "\/config.js", "user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Ubuntu\/10.10 Chromium\/10.0.613.0 Chrome\/10.0.613.0 Safari\/534.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.js HTTP\/1.1", "request_sample": "GET \/config.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Ubuntu\/10.10 Chromium\/10.0.613.0 Chrome\/10.0.613.0 Safari\/534.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne", "payload_snippet": "GET \/config.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/534.15 (KHTML, l", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "149f807d69d4b5239d995684523a6116b4e30e47", "protocol_details": { "http_method": "GET", "http_path": "\/config.js", "request_line": "GET \/config.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Ubuntu\/10.10 Chromium\/10.0.613.0 Chrome\/\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/534.15 (KHTML, l", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.js", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/config.js", "request_line": "GET \/config.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Ubuntu\/10.10 Chromium\/10.0.613.0 Chrome\/\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.js", "evidence_snippet": "GET \/config.js HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/534.15 (KHTML, l", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /configuration.php	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /configuration.php UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /configuration.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /configuration.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Joomla configuration Ligne de requête `GET /configuration.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3879.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /configuration.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /configuration.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3879.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "5cce4f80f3d827d2f70f7c83c9b78b284b9ad660", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "cbe0bbf7f8b5afabd4b78298d96327b6d56aee1e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 245, "payload_entropy": 5.406869547816075, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "dc208df84c1471d908f60849e2a33e7c1abf6f56", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0123" ], "matched_pattern_names": [ "LFI Joomla configuration" ], "pattern_ids": [ "pat-0123" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0d4afa313b1ea1a5a97888703fa2992a", "payload_hash": "86bfda32af7981fcc3ea99c885ca11bc", "path_pattern_hash": "9977bbb4eba833ae122a27b7db6aa308" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/configuration.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/configuration.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3879.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/configuration.php HTTP\/1.1", "request_sample": "GET \/configuration.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3879.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/configuration.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/configuration.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3879.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/configuration.php HTTP\/1.1", "request_sample": "GET \/configuration.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3879.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/configuration.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHT", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a2e7dafa6f9e547ed3df5c6b941826a1b8a6593f", "protocol_details": { "http_method": "GET", "http_path": "\/configuration.php", "request_line": "GET \/configuration.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3879.0 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/configuration.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHT", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/configuration.php", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/configuration.php", "request_line": "GET \/configuration.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3879.0 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/configuration.php", "evidence_snippet": "GET \/configuration.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHT", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /settings.json	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /settings.json UA Mozilla/5.0 (Unknown; UNIX BSD/SYSV system) AppleWebKit/538.1 (… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /settings.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /settings.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /settings.json HTTP/1.1` User-Agent Mozilla/5.0 (Unknown; UNIX BSD/SYSV system) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.7.0 Safari/538.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /settings.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Unknown; UNIX BSD/SYSV system) AppleWebKit/538.1 (K Requête brute (extrait) GET /settings.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Unknown; UNIX BSD/SYSV system) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.7.0 Safari/538.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "95be3647521211330ef9c5ce3584911c7c9da7b5", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "bf7030628c229b3e041c7e1c251921a9918e64a1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 242, "payload_entropy": 5.475885648671162, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9168e67c0239c315b6c53b47b1067183652c82b8", "event_fingerprint": "e14cfc69ac37af248e023fe0c754110e2868ffc0", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1fa21196fddfcb27306271cb804cc886", "payload_hash": "bba098349cbedae30996d3420d39ad81", "path_pattern_hash": "77c44ac5d0e9de12fccd3bb6237f7ba5" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Unknown; UNIX BSD\/SYSV system) AppleWebKit\/538.1 (K", "method": "GET", "path": "\/settings.json", "user_agent": "Mozilla\/5.0 (Unknown; UNIX BSD\/SYSV system) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.7.0 Safari\/538.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings.json HTTP\/1.1", "request_sample": "GET \/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Unknown; UNIX BSD\/SYSV system) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.7.0 Safari\/538.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Unknown; UNIX BSD\/SYSV system) AppleWebKit\/538.1 (K", "evidence": { "method": "GET", "path": "\/settings.json", "user_agent": "Mozilla\/5.0 (Unknown; UNIX BSD\/SYSV system) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.7.0 Safari\/538.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings.json HTTP\/1.1", "request_sample": "GET \/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Unknown; UNIX BSD\/SYSV system) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.7.0 Safari\/538.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Unknown; UNIX BSD\/SYSV system) AppleWebKit\/538.1 (K", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "29838d6af968b0d9139884f5d4dcbba508219ae7", "protocol_details": { "http_method": "GET", "http_path": "\/settings.json", "request_line": "GET \/settings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Unknown; UNIX BSD\/SYSV system) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.7.0 Safari\/538.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Unknown; UNIX BSD\/SYSV system) AppleWebKit\/538.1 (K", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.json", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/settings.json", "request_line": "GET \/settings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Unknown; UNIX BSD\/SYSV system) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.7.0 Safari\/538.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.json", "evidence_snippet": "GET \/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Unknown; UNIX BSD\/SYSV system) AppleWebKit\/538.1 (K", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /configuration.yml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /configuration.yml UA Mozilla/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit/537.36… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /configuration.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /configuration.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /configuration.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /configuration.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit/537 Requête brute (extrait) GET /configuration.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "34ca293b30dcd30d0b19b0257f6282c416f50fb0", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "f5ba477be733eb286d73c795898898c4df753007", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.389970781945296, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "5e7a09bb4afcf4c4eeb06156a4b484f509ce15ad", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b5d3de5a91b310cca721e869d16b9803", "payload_hash": "3dcda529455a9c78cf238f1c32c63d43", "path_pattern_hash": "11d7130e53c98b3dd086ae8969367205" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/configuration.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537", "method": "GET", "path": "\/configuration.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/configuration.yml HTTP\/1.1", "request_sample": "GET \/configuration.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/configuration.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/configuration.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/configuration.yml HTTP\/1.1", "request_sample": "GET \/configuration.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/configuration.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "643c2b8f097e17c11f47db06420e5601c9bd9530", "protocol_details": { "http_method": "GET", "http_path": "\/configuration.yml", "request_line": "GET \/configuration.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.89 Mobile Safari\/5\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/configuration.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/configuration.yml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/configuration.yml", "request_line": "GET \/configuration.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.89 Mobile Safari\/5\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/configuration.yml", "evidence_snippet": "GET \/configuration.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /settings.php	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /settings.php UA Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaN8-00/014.002; Profil… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950470:nosqli-3 http_probe_settings Cible HTTP GET /settings.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /settings.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Élevé · 67 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Settings PHP Ligne de requête `GET /settings.php HTTP/1.1` User-Agent Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaN8-00/014.002; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.6.4 3gpp-gba Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /settings.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaN8-00/014.002; Profile/ Requête brute (extrait) GET /settings.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaN8-00/014.002; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.6.4 3gpp-gba Accept-Chars Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "7747a3bf35fc4d7bd64846f727c7e4915dc8739a", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "82d3610aa3e19f51e6faea30fd476c3facb744f8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 311, "payload_entropy": 5.440887370331509, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 92, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1c3c4217d8c4f96af945525501843d0a2435e54e", "event_fingerprint": "7fba6d8b4676d8f50de062109b03079c41ee3a34", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0500" ], "matched_pattern_names": [ "Cred Settings PHP" ], "pattern_ids": [ "pat-0500" ], "confidence_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a3840ed45202aeb16b149764fb9e8b9e", "payload_hash": "0f06f03981a5fa956cc4b8969cb9464f", "path_pattern_hash": "23157306e7088efe4ec83e736f6b3e07" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaN8-00\/014.002; Profile\/", "method": "GET", "path": "\/settings.php", "user_agent": "Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaN8-00\/014.002; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.6.4 3gpp-gba", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/settings.php HTTP\/1.1", "request_sample": "GET \/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaN8-00\/014.002; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.6.4 3gpp-gba\r\nAccept-Chars", "payload_snippet": "GET \/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaN8-00\/014.002; Profile\/", "evidence": { "method": "GET", "path": "\/settings.php", "user_agent": "Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaN8-00\/014.002; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.6.4 3gpp-gba", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/settings.php HTTP\/1.1", "request_sample": "GET \/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaN8-00\/014.002; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.6.4 3gpp-gba\r\nAccept-Chars", "payload_snippet": "GET \/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaN8-00\/014.002; Profile\/", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "97349bfc2f1c7acf91d92fef2d7e4e05cf32daa9", "protocol_details": { "http_method": "GET", "http_path": "\/settings.php", "request_line": "GET \/settings.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaN8-00\/014.002; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/52\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaN8-00\/014.002; Profile\/", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.php", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/settings.php", "request_line": "GET \/settings.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaN8-00\/014.002; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/52\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.php", "evidence_snippet": "GET \/settings.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaN8-00\/014.002; Profile\/", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3", "http_probe_settings", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /application.properties	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /application.properties UA Mozilla/5.0 (Windows NT 6.0; rv:36.0) Gecko/20100101 Firefox/36… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /application.properties TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /application.properties Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /application.properties HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.0; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /application.properties HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:36.0) Gecko/20100101 Fi Requête brute (extrait) GET /application.properties HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "properties", "http_ua_hash": "b8c28617e1f66941e4fe0611e6b372b37a3ded4c", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "e3fd46d86bb2ad69319106117f93875bff130862", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 224, "payload_entropy": 5.228878387737721, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "1d445d7e9d6b0679df4bdf2d6acc46cad9541704", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "028fa1a02f1756674b7c82db2ba060e5", "payload_hash": "8999eb754da1aef7dfbde334db18f8ea", "path_pattern_hash": "8c4feac6bcb94afde681db33f96763e3" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.0; rv:36.0) Gecko\/20100101 Fi", "method": "GET", "path": "\/application.properties", "user_agent": "Mozilla\/5.0 (Windows NT 6.0; rv:36.0) Gecko\/20100101 Firefox\/36.0 SeaMonkey\/2.33.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.properties HTTP\/1.1", "request_sample": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.0; rv:36.0) Gecko\/20100101 Firefox\/36.0 SeaMonkey\/2.33.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.0; rv:36.0) Gecko\/20100101 Fi", "evidence": { "method": "GET", "path": "\/application.properties", "user_agent": "Mozilla\/5.0 (Windows NT 6.0; rv:36.0) Gecko\/20100101 Firefox\/36.0 SeaMonkey\/2.33.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.properties HTTP\/1.1", "request_sample": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.0; rv:36.0) Gecko\/20100101 Firefox\/36.0 SeaMonkey\/2.33.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.0; rv:36.0) Gecko\/20100101 Fi", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9c760f47354f46f79a93948ae2e25279c0f9ac1a", "protocol_details": { "http_method": "GET", "http_path": "\/application.properties", "request_line": "GET \/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.0; rv:36.0) Gecko\/20100101 Firefox\/36.0 SeaMonkey\/2.33.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.0; rv:36.0) Gecko\/20100101 Fi", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.properties", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/application.properties", "request_line": "GET \/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.0; rv:36.0) Gecko\/20100101 Firefox\/36.0 SeaMonkey\/2.33.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.properties", "evidence_snippet": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.0; rv:36.0) Gecko\/20100101 Fi", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /settings.ini	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /settings.ini UA Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /settings.ini TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /settings.ini Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /settings.ini HTTP/1.1` User-Agent Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /settings.ini HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /settings.ini HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ini", "http_ua_hash": "d01b06811aba906acfa39f5a9e18db97f42e86f1", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "f01ec89928fe2f3ee90d02a7d289d5d5096b75ef", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 244, "payload_entropy": 5.42703147067414, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9168e67c0239c315b6c53b47b1067183652c82b8", "event_fingerprint": "ef3693b42b09c581692ec6a276a3c8dc9c7e7978", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c7496fa5bb924f8df93fede64addfea9", "payload_hash": "0315a4403eac8defa16644ddf052ee51", "path_pattern_hash": "9c5f76c4cd2a45bfda2541100b559957" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/settings.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/settings.ini", "user_agent": "Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings.ini HTTP\/1.1", "request_sample": "GET \/settings.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/settings.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/settings.ini", "user_agent": "Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings.ini HTTP\/1.1", "request_sample": "GET \/settings.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/settings.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "15b705bf4ea0895b95df132dd57083059e5162a6", "protocol_details": { "http_method": "GET", "http_path": "\/settings.ini", "request_line": "GET \/settings.ini HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/settings.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.ini", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/settings.ini", "request_line": "GET \/settings.ini HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.ini", "evidence_snippet": "GET \/settings.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /appsettings.Development.json	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /appsettings.Development.json UA Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build/IML74K)… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /appsettings.Development.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /appsettings.Development.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /appsettings.Development.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build/IML74K) AppleWebKit/535.19 (KHTML, like Gecko) Silk/2.1 Mobile Safari/535.19 Silk-Accelerated=true Règles WAF rce-0 nosqli-3 Payload (extrait) GET /appsettings.Development.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Requête brute (extrait) GET /appsettings.Development.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build/IML74K) AppleWebKit/535.19 (KHTML, like Gecko) Silk/2.1 Mobile Safari/535.19 Silk-Accelerated=true Accept-Charset: utf-8 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "2823fb091bc51afa38cb669957969972e70e4285", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "b16cc04f90b07f94f00559b7a5b80f472688ce81", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 302, "payload_entropy": 5.431744181002418, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "54d67d3f8688a5289ee9d56954d01a408afeb458", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c071d480eca0f72986e1a9acae4c6091", "payload_hash": "ef52da9b1b4a504e8f2801240653697b", "path_pattern_hash": "42f6207a734c8447ca0a471ac752ed62" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/appsettings.Development.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT", "method": "GET", "path": "\/appsettings.Development.json", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/IML74K) AppleWebKit\/535.19 (KHTML, like Gecko) Silk\/2.1 Mobile Safari\/535.19 Silk-Accelerated=true", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/appsettings.Development.json HTTP\/1.1", "request_sample": "GET \/appsettings.Development.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/IML74K) AppleWebKit\/535.19 (KHTML, like Gecko) Silk\/2.1 Mobile Safari\/535.19 Silk-Accelerated=true\r\nAccept-Charset: utf-8", "payload_snippet": "GET \/appsettings.Development.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT", "evidence": { "method": "GET", "path": "\/appsettings.Development.json", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/IML74K) AppleWebKit\/535.19 (KHTML, like Gecko) Silk\/2.1 Mobile Safari\/535.19 Silk-Accelerated=true", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/appsettings.Development.json HTTP\/1.1", "request_sample": "GET \/appsettings.Development.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/IML74K) AppleWebKit\/535.19 (KHTML, like Gecko) Silk\/2.1 Mobile Safari\/535.19 Silk-Accelerated=true\r\nAccept-Charset: utf-8", "payload_snippet": "GET \/appsettings.Development.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "671241e054766eac3dcacf9a1a7a5c726e1a0eac", "protocol_details": { "http_method": "GET", "http_path": "\/appsettings.Development.json", "request_line": "GET \/appsettings.Development.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/IML74K) AppleWebKit\/535.19 (KHTML, like Gecko) Silk\/2.1 Mobile \u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/appsettings.Development.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/appsettings.Development.json", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/appsettings.Development.json", "request_line": "GET \/appsettings.Development.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/IML74K) AppleWebKit\/535.19 (KHTML, like Gecko) Silk\/2.1 Mobile \u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/appsettings.Development.json", "evidence_snippet": "GET \/appsettings.Development.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /appsettings.json	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /appsettings.json UA Mozilla/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build/ERD6… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /appsettings.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /appsettings.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred ASP.NET settings Ligne de requête `GET /appsettings.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build/ERD62) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /appsettings.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build/ER Requête brute (extrait) GET /appsettings.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build/ERD62) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Accept-Charset: utf-8 Accept-Encoding: gzip Conn Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "a6467658c785f51c48af90041faf44204a34265b", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "1bb70c4d477e16ecbd1bc700e3f66fae61eb4898", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 273, "payload_entropy": 5.4115190830546585, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9168e67c0239c315b6c53b47b1067183652c82b8", "event_fingerprint": "b60490e65a4251c2230393f4ac527d5a86802976", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0466" ], "matched_pattern_names": [ "Cred ASP.NET settings" ], "pattern_ids": [ "pat-0466" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "621468122e187fa5107552cbdddde9b1", "payload_hash": "83488bf5c66388d1ac5c75bf6366b737", "path_pattern_hash": "8a0b1852fc2be645a82e96b3e5fdd755" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ER", "method": "GET", "path": "\/appsettings.json", "user_agent": "Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ERD62) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/appsettings.json HTTP\/1.1", "request_sample": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ERD62) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ER", "evidence": { "method": "GET", "path": "\/appsettings.json", "user_agent": "Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ERD62) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/appsettings.json HTTP\/1.1", "request_sample": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ERD62) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ER", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ada808c19ab45fbd17cfa0c837fe7331ff325dd5", "protocol_details": { "http_method": "GET", "http_path": "\/appsettings.json", "request_line": "GET \/appsettings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ERD62) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mo\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ER", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/appsettings.json", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/appsettings.json", "request_line": "GET \/appsettings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ERD62) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mo\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/appsettings.json", "evidence_snippet": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; Nexus One Build\/ER", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /app.yml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /app.yml UA Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /app.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /app.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 Accep Requête brute (extrait) GET /app.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "60716287cde82f3fedd9b100c1db0e52cff206bb", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "597dea0ab924c152a2925645cc353ecd4a8eea78", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 190, "payload_entropy": 5.262471692473662, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "3e7d03aebcadf8399e7f160d3ca23f90914bd63d", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bae70cb8b8067e75e2635a2bcad33b87", "payload_hash": "e49a6335bfa380730deea2e0c16ea013", "path_pattern_hash": "62ed182b1af6b760118a2c86d5130318" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/app.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1; rv:5.0) Gecko\/20100101 Firefox\/5.0\r\nAccep", "method": "GET", "path": "\/app.yml", "user_agent": "Mozilla\/5.0 (Windows NT 5.1; rv:5.0) Gecko\/20100101 Firefox\/5.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.yml HTTP\/1.1", "request_sample": "GET \/app.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1; rv:5.0) Gecko\/20100101 Firefox\/5.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1; rv:5.0) Gecko\/20100101 Firefox\/5.0\r\nAccep", "evidence": { "method": "GET", "path": "\/app.yml", "user_agent": "Mozilla\/5.0 (Windows NT 5.1; rv:5.0) Gecko\/20100101 Firefox\/5.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.yml HTTP\/1.1", "request_sample": "GET \/app.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1; rv:5.0) Gecko\/20100101 Firefox\/5.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1; rv:5.0) Gecko\/20100101 Firefox\/5.0\r\nAccep", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "12a9e81ecf9b19f8b04b643b4fcc2278e2f89cd2", "protocol_details": { "http_method": "GET", "http_path": "\/app.yml", "request_line": "GET \/app.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 5.1; rv:5.0) Gecko\/20100101 Firefox\/5.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1; rv:5.0) Gecko\/20100101 Firefox\/5.0\r\nAccep", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.yml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/app.yml", "request_line": "GET \/app.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 5.1; rv:5.0) Gecko\/20100101 Firefox\/5.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.yml", "evidence_snippet": "GET \/app.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1; rv:5.0) Gecko\/20100101 Firefox\/5.0\r\nAccep", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /application.yaml	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /application.yaml UA Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots) Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950470:nosqli-3 net_flood Cible HTTP GET /application.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /application.yaml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /application.yaml HTTP/1.1` User-Agent Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots) Règles WAF rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /application.yaml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bo Requête brute (extrait) GET /application.yaml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "503f0ab2ff267b53bfa5e6de54112fffcea8a215", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "1191e273c1826d3cef67d2c70d425072ebc43c59", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 200, "payload_entropy": 5.206286591309496, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "90a0448a5b6ce23ac8e0bc367f86518c740c2388", "event_fingerprint": "ea8e7373eca00dde6d4b24d8b67c0a848389cba0", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e4b041114023353df050002a76991832", "payload_hash": "ecac71f00edd725d47d799b0ec0c3bfb", "path_pattern_hash": "cef87ee8c99d38579e29ea993d58f554" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/application.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.com\/bo", "method": "GET", "path": "\/application.yaml", "user_agent": "Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.com\/bots)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/application.yaml HTTP\/1.1", "request_sample": "GET \/application.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.com\/bots)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/application.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.com\/bo", "evidence": { "method": "GET", "path": "\/application.yaml", "user_agent": "Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.com\/bots)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/application.yaml HTTP\/1.1", "request_sample": "GET \/application.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.com\/bots)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/application.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.com\/bo", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0fd6558c919408ec9a916bee9f854b655050b1f0", "protocol_details": { "http_method": "GET", "http_path": "\/application.yaml", "request_line": "GET \/application.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.com\/bots)", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/application.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.com\/bo", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.yaml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/application.yaml", "request_line": "GET \/application.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.com\/bots)", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.yaml", "evidence_snippet": "GET \/application.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.com\/bo", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /settings.py	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /settings.py UA Mozilla/5.0 (Linux; U; Android 9; en-US; ASUS_X00TD Build/PKQ1)… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /settings.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /settings.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Django settings Ligne de requête `GET /settings.py HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 9; en-US; ASUS_X00TD Build/PKQ1) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.12.8.1206 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /settings.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; U; Android 9; en-US; ASUS_X00TD Build/PKQ1) Ap Requête brute (extrait) GET /settings.py HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; U; Android 9; en-US; ASUS_X00TD Build/PKQ1) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.12.8.1206 Mobile Safari/537.36 Accept-Charse Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "py", "http_ua_hash": "5c5b65e7fcc8a5822e8047e1da2544e38616509e", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "3d04c639f33f174cecedd8e2b5ee24fd5f889511", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 310, "payload_entropy": 5.515984637677196, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "5756e9ee3797f1a6578ac570fb2745b5032774b0", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0112" ], "matched_pattern_names": [ "LFI Django settings" ], "pattern_ids": [ "pat-0112" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b9dfacd4b48406417490821f6c00ccb8", "payload_hash": "beb0b9aa5ceba2c8281320c69088fcc6", "path_pattern_hash": "11cbdc1d0934c26ecc216cf25354d01f" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; en-US; ASUS_X00TD Build\/PKQ1) Ap", "method": "GET", "path": "\/settings.py", "user_agent": "Mozilla\/5.0 (Linux; U; Android 9; en-US; ASUS_X00TD Build\/PKQ1) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 UCBrowser\/12.12.8.1206 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings.py HTTP\/1.1", "request_sample": "GET \/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; en-US; ASUS_X00TD Build\/PKQ1) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 UCBrowser\/12.12.8.1206 Mobile Safari\/537.36\r\nAccept-Charse", "payload_snippet": "GET \/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; en-US; ASUS_X00TD Build\/PKQ1) Ap", "evidence": { "method": "GET", "path": "\/settings.py", "user_agent": "Mozilla\/5.0 (Linux; U; Android 9; en-US; ASUS_X00TD Build\/PKQ1) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 UCBrowser\/12.12.8.1206 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings.py HTTP\/1.1", "request_sample": "GET \/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; en-US; ASUS_X00TD Build\/PKQ1) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 UCBrowser\/12.12.8.1206 Mobile Safari\/537.36\r\nAccept-Charse", "payload_snippet": "GET \/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; en-US; ASUS_X00TD Build\/PKQ1) Ap", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6a6abf50b58852927fce185f7cbc03cf92a24f45", "protocol_details": { "http_method": "GET", "http_path": "\/settings.py", "request_line": "GET \/settings.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 9; en-US; ASUS_X00TD Build\/PKQ1) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chro\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; en-US; ASUS_X00TD Build\/PKQ1) Ap", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.py", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/settings.py", "request_line": "GET \/settings.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 9; en-US; ASUS_X00TD Build\/PKQ1) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chro\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.py", "evidence_snippet": "GET \/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 9; en-US; ASUS_X00TD Build\/PKQ1) Ap", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /app.yaml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /app.yaml UA Opera/9.80 (Linux i686; Opera Mobi/1040; U; en) Presto/2.5.24 V… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /app.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /app.yaml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app.yaml HTTP/1.1` User-Agent Opera/9.80 (Linux i686; Opera Mobi/1040; U; en) Presto/2.5.24 Version/10.00 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app.yaml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Opera/9.80 (Linux i686; Opera Mobi/1040; U; en) Presto/2.5.24 Version Requête brute (extrait) GET /app.yaml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Opera/9.80 (Linux i686; Opera Mobi/1040; U; en) Presto/2.5.24 Version/10.00 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "5bfc4abc6b0fd706c1e4eaf9f2fbf3d181c82a1a", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "4f8d8575094a0d78fe84167500fc46c65e6b83e6", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 203, "payload_entropy": 5.2613413372094815, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "d1fc1031557a28b63b95007eddda79950b62a218", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7ca99061e1879ebb4736fd520e21fa82", "payload_hash": "28c8b73a04e87653e9eb0cb1bf8a761f", "path_pattern_hash": "930f4fba7ea3b5abd5a572fe6e72bfd6" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/app.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (Linux i686; Opera Mobi\/1040; U; en) Presto\/2.5.24 Version", "method": "GET", "path": "\/app.yaml", "user_agent": "Opera\/9.80 (Linux i686; Opera Mobi\/1040; U; en) Presto\/2.5.24 Version\/10.00", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.yaml HTTP\/1.1", "request_sample": "GET \/app.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (Linux i686; Opera Mobi\/1040; U; en) Presto\/2.5.24 Version\/10.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (Linux i686; Opera Mobi\/1040; U; en) Presto\/2.5.24 Version", "evidence": { "method": "GET", "path": "\/app.yaml", "user_agent": "Opera\/9.80 (Linux i686; Opera Mobi\/1040; U; en) Presto\/2.5.24 Version\/10.00", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.yaml HTTP\/1.1", "request_sample": "GET \/app.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (Linux i686; Opera Mobi\/1040; U; en) Presto\/2.5.24 Version\/10.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (Linux i686; Opera Mobi\/1040; U; en) Presto\/2.5.24 Version", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6e4b096e52cbb9483005c35914c8cc930d358c59", "protocol_details": { "http_method": "GET", "http_path": "\/app.yaml", "request_line": "GET \/app.yaml HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Linux i686; Opera Mobi\/1040; U; en) Presto\/2.5.24 Version\/10.00", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (Linux i686; Opera Mobi\/1040; U; en) Presto\/2.5.24 Version", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.yaml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/app.yaml", "request_line": "GET \/app.yaml HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Linux i686; Opera Mobi\/1040; U; en) Presto\/2.5.24 Version\/10.00", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.yaml", "evidence_snippet": "GET \/app.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (Linux i686; Opera Mobi\/1040; U; en) Presto\/2.5.24 Version", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /application.json	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /application.json UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /application.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /application.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /application.json HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /application.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/5 Requête brute (extrait) GET /application.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "ff1b4d2d5e751add0fb9d7873980288c385fc056", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "0b5572e340ceab13ef54a299786d05b13bd45040", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.392337055301514, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9168e67c0239c315b6c53b47b1067183652c82b8", "event_fingerprint": "5cf5f7ae4023906bbbf22d24319b102a0ba00a0e", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6c1201e94056caeaa5897072d594ed49", "payload_hash": "0793d6e4b03997b8732d2e82b16d11bf", "path_pattern_hash": "10b0d9b92f796dbf4c156490a626ae9a" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/application.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/5", "method": "GET", "path": "\/application.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.json HTTP\/1.1", "request_sample": "GET \/application.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/application.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/application.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.json HTTP\/1.1", "request_sample": "GET \/application.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/application.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/5", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0be1d7e4281982a39bb8b9e2c339ec224f5d4a5c", "protocol_details": { "http_method": "GET", "http_path": "\/application.json", "request_line": "GET \/application.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/application.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/5", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.json", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/application.json", "request_line": "GET \/application.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.json", "evidence_snippet": "GET \/application.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/5", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /settings.yml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /settings.yml UA Mozilla/5.0 (Linux; Android 9; H3223) AppleWebKit/537.36 (KHTML… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /settings.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /settings.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /settings.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; H3223) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /settings.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; H3223) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /settings.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; H3223) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "5dccbb4ed4d133623b28dd15f6da5d868a0286c0", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "64e3a131204c128fe0a6ac8f9ded6401960ea19f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.3983329438882, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9168e67c0239c315b6c53b47b1067183652c82b8", "event_fingerprint": "3f9655981f9da10cc9144d878c15dad9ebd38a59", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9f4361de46c9069af436191db4b45292", "payload_hash": "00e5b8a8f8070a3469efcdafb0f7652a", "path_pattern_hash": "1a33c37942f5d63da1514e0f25f1979f" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/settings.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; H3223) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/settings.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; H3223) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings.yml HTTP\/1.1", "request_sample": "GET \/settings.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; H3223) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/settings.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; H3223) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/settings.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; H3223) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings.yml HTTP\/1.1", "request_sample": "GET \/settings.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; H3223) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/settings.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; H3223) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "58abe86f104b4ba7f21edadf9c467633751b3ebb", "protocol_details": { "http_method": "GET", "http_path": "\/settings.yml", "request_line": "GET \/settings.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; H3223) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/settings.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; H3223) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.yml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/settings.yml", "request_line": "GET \/settings.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; H3223) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings.yml", "evidence_snippet": "GET \/settings.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; H3223) AppleWebKit\/537.36 (KHTML,", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /database.php	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /database.php UA Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /database.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /database.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Élevé · 66 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /database.php HTTP/1.1` User-Agent Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38.0 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /database.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38.0 Requête brute (extrait) GET /database.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "ece89018f8e51dcdb25431bef4142f642a506f93", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "1cac4715ed965215df929e78afc22914932809e0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 197, "payload_entropy": 5.2857354515036725, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 92, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 66, "tag_count": 4, "anomaly_count": 0, "campaign_key": "6ec6ad08c0d050de027a66031540ecc36486c02c", "event_fingerprint": "404ffc30b50cb74c34fd4bf756fe81b5e9cca17f", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 66 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3ef775987e41dcc313d41d88786ef3b6", "payload_hash": "d7633a35cfa7a9f541165940536aea5d", "path_pattern_hash": "90f376acfeae8feaa84cc75eee54384f" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "method": "GET", "path": "\/database.php", "user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/database.php HTTP\/1.1", "request_sample": "GET \/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "evidence": { "method": "GET", "path": "\/database.php", "user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/database.php HTTP\/1.1", "request_sample": "GET \/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "104a6871549c4d842fa4c53e6a1fbc37b3e77757", "protocol_details": { "http_method": "GET", "http_path": "\/database.php", "request_line": "GET \/database.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/database.php", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 66 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/database.php", "request_line": "GET \/database.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/database.php", "evidence_snippet": "GET \/database.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /db.php	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /db.php UA Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like G… Émulateur HTTP WAF 6 Recommandation Investiguer Tags 950470:nosqli-3 http_probe_db net_flood Cible HTTP GET /db.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /db.php Service HTTP Pourquoi cette classification : Tags WAF: nosqli-3 · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /db.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.91 Safari/537.36 Vivaldi/1.92.917.39 Règles WAF nosqli-3 Payload (extrait) GET /db.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Ch Requête brute (extrait) GET /db.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.91 Safari/537.36 Vivaldi/1.92.917.39 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "a53b6c4c3f98dc568a6ef6b41dc8a3f7c75ecaef", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "25eff87de964ee0386ae3b7dc262cc750c04e9f6", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.402672865072369, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 32, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "c37698649a25709420345882d2c6a17823738a02", "event_fingerprint": "096bf667cf96a6bad5872b91db88902a14b5d318", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "29e81dc06ebf428611e0dd6d72ac308f", "payload_hash": "a80532790e96f07574a5160731949ba5", "path_pattern_hash": "811319170a56ea52f00bd482e981607b" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/db.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "method": "GET", "path": "\/db.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.91 Safari\/537.36 Vivaldi\/1.92.917.39", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/db.php HTTP\/1.1", "request_sample": "GET \/db.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.91 Safari\/537.36 Vivaldi\/1.92.917.39\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/db.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "evidence": { "method": "GET", "path": "\/db.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.91 Safari\/537.36 Vivaldi\/1.92.917.39", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/db.php HTTP\/1.1", "request_sample": "GET \/db.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.91 Safari\/537.36 Vivaldi\/1.92.917.39\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/db.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "026b4cc1caf453dc3a44ffba24e0258086ed0adb", "protocol_details": { "http_method": "GET", "http_path": "\/db.php", "request_line": "GET \/db.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.91 Safari\/537.36 Vivaldi\/1.92.917\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/db.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/db.php", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/db.php", "request_line": "GET \/db.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.91 Safari\/537.36 Vivaldi\/1.92.917\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/db.php", "evidence_snippet": "GET \/db.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950470:nosqli-3", "http_probe_db", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /app.json	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /app.json UA Mozilla/5.0 (Linux; Android 7.0; LG-H918 Build/NRD90M) AppleWeb… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /app.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /app.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; LG-H918 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 7.0; LG-H918 Build/NRD90M) AppleWebKit/53 Requête brute (extrait) GET /app.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 7.0; LG-H918 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "9ef5541214fd1cb5050eaa0aa3c11d33b134d1f6", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "cf8222be2fbd8af767cbac7dc8c95f4a17eb0111", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 262, "payload_entropy": 5.495829645635039, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "203d448ff22b14881c783fb63d2d1b3599727b90", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "78998aca9d9fe0b2c9a380079e0f2554", "payload_hash": "b1e903dcb8d46bce3e0cc065688a247c", "path_pattern_hash": "dd0b61b983772942d4c3984314456196" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/app.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H918 Build\/NRD90M) AppleWebKit\/53", "method": "GET", "path": "\/app.json", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LG-H918 Build\/NRD90M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.json HTTP\/1.1", "request_sample": "GET \/app.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H918 Build\/NRD90M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/app.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H918 Build\/NRD90M) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/app.json", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LG-H918 Build\/NRD90M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.json HTTP\/1.1", "request_sample": "GET \/app.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H918 Build\/NRD90M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/app.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H918 Build\/NRD90M) AppleWebKit\/53", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0043d8e32f9ee15156b2a38e0c7b097a77360d97", "protocol_details": { "http_method": "GET", "http_path": "\/app.json", "request_line": "GET \/app.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LG-H918 Build\/NRD90M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Mobil\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H918 Build\/NRD90M) AppleWebKit\/53", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.json", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/app.json", "request_line": "GET \/app.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LG-H918 Build\/NRD90M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Mobil\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.json", "evidence_snippet": "GET \/app.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H918 Build\/NRD90M) AppleWebKit\/53", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /parameters.php	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /parameters.php UA Mozilla/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit/537.36… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /parameters.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /parameters.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /parameters.php HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /parameters.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit/537.36 Requête brute (extrait) GET /parameters.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "fae00653dfac480b42f044c98783176983f00bea", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "286be570ea447b8792eae3fc44fdaf3699668e04", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.38362098842245, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "38925ec870209985364d16a3554ab4be68e0229b", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a3a72b638cf0154db604cf829203ccf8", "payload_hash": "653f6bfa8f34bd899b81aebaf492f40a", "path_pattern_hash": "b7b2f31048e2b1169a73a940e673c13a" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/parameters.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36", "method": "GET", "path": "\/parameters.php", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/parameters.php HTTP\/1.1", "request_sample": "GET \/parameters.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/parameters.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/parameters.php", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/parameters.php HTTP\/1.1", "request_sample": "GET \/parameters.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/parameters.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a8ebb4471520bb1f43bd30ca863b71df16c76f3c", "protocol_details": { "http_method": "GET", "http_path": "\/parameters.php", "request_line": "GET \/parameters.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/parameters.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/parameters.php", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/parameters.php", "request_line": "GET \/parameters.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/parameters.php", "evidence_snippet": "GET \/parameters.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /database.json	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /database.json UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWeb… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /database.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /database.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /database.json HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/74.0.3729.155 Mobile/15E148 Safari/605.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /database.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebK Requête brute (extrait) GET /database.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/74.0.3729.155 Mobile/15E148 Safari/605.1 Accept-Charset: utf-8 Accept-Encoding: gzip Co Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "21742e56842544ca653f4f8a714b9fe7856e6a7c", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "f689104314a10f54bd93f91634b8afdc76c6b282", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 275, "payload_entropy": 5.404083485925739, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9168e67c0239c315b6c53b47b1067183652c82b8", "event_fingerprint": "2da4766bf4504cb6b25b8120710ba4397bc00efd", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ca70792b7e2c914d52dd136ef4aa2f8d", "payload_hash": "dc817212c862aaaa3ef12d14d5b0939a", "path_pattern_hash": "f1f37e8fcf8a0b13708dc4a3ea488f0e" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/database.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebK", "method": "GET", "path": "\/database.json", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/74.0.3729.155 Mobile\/15E148 Safari\/605.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/database.json HTTP\/1.1", "request_sample": "GET \/database.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/74.0.3729.155 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "payload_snippet": "GET \/database.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebK", "evidence": { "method": "GET", "path": "\/database.json", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/74.0.3729.155 Mobile\/15E148 Safari\/605.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/database.json HTTP\/1.1", "request_sample": "GET \/database.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/74.0.3729.155 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "payload_snippet": "GET \/database.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebK", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "da43c656ed195882e36cc5ffee9e167d45901640", "protocol_details": { "http_method": "GET", "http_path": "\/database.json", "request_line": "GET \/database.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/74.0.3729.155 Mob\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/database.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebK", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/database.json", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/database.json", "request_line": "GET \/database.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/74.0.3729.155 Mob\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/database.json", "evidence_snippet": "GET \/database.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebK", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /parameters.yaml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /parameters.yaml UA Opera/9.80 (Windows NT 5.1; U; zh-tw) Presto/2.8.131 Version/11… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /parameters.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /parameters.yaml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /parameters.yaml HTTP/1.1` User-Agent Opera/9.80 (Windows NT 5.1; U; zh-tw) Presto/2.8.131 Version/11.10 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /parameters.yaml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Opera/9.80 (Windows NT 5.1; U; zh-tw) Presto/2.8.131 Version/1 Requête brute (extrait) GET /parameters.yaml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Opera/9.80 (Windows NT 5.1; U; zh-tw) Presto/2.8.131 Version/11.10 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "f5aa68ce0d176daced3e5603621b296b2ab1a7e7", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "95756296d683ee74665812bc6016d439dcda6d9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 201, "payload_entropy": 5.2249121291762854, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "ea5afaadecdfc86f8181b2b1cbc6b961ce78c41c", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "97f443d87205c2b6684b7ad10f42aec7", "payload_hash": "467c166b769a1c5eb26b2583dc1b7c12", "path_pattern_hash": "cc07af73f4f98af6d4122b31309fa57c" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/1", "method": "GET", "path": "\/parameters.yaml", "user_agent": "Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/parameters.yaml HTTP\/1.1", "request_sample": "GET \/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/1", "evidence": { "method": "GET", "path": "\/parameters.yaml", "user_agent": "Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/parameters.yaml HTTP\/1.1", "request_sample": "GET \/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/1", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7cb13fded4abda77610dfebf373983721af0193d", "protocol_details": { "http_method": "GET", "http_path": "\/parameters.yaml", "request_line": "GET \/parameters.yaml HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/1", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/parameters.yaml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/parameters.yaml", "request_line": "GET \/parameters.yaml HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/parameters.yaml", "evidence_snippet": "GET \/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/1", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /database.yml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /database.yml UA Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko/200… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /database.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /database.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Database YAML Ligne de requête `GET /database.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko/20080303 SeaMonkey/1.1.8 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /database.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko/20080 Requête brute (extrait) GET /database.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko/20080303 SeaMonkey/1.1.8 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "2d8bcb907bf81985d29ed9ad09c744bea8258b71", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "d9be78204b9f1f993ba727c25934a91ddb9f7e73", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 216, "payload_entropy": 5.2828603170068025, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9168e67c0239c315b6c53b47b1067183652c82b8", "event_fingerprint": "c381fb692b12d086fe2e373b17959162a499aa37", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0474" ], "matched_pattern_names": [ "Cred Database YAML" ], "pattern_ids": [ "pat-0474" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a7cbfa848ac307add6c1512eb30c65d5", "payload_hash": "343ae6d3422964476ad63b511b3e55e6", "path_pattern_hash": "e456118ffd1efe78c2d2e3dd8e291349" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080", "method": "GET", "path": "\/database.yml", "user_agent": "Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 SeaMonkey\/1.1.8", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/database.yml HTTP\/1.1", "request_sample": "GET \/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 SeaMonkey\/1.1.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080", "evidence": { "method": "GET", "path": "\/database.yml", "user_agent": "Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 SeaMonkey\/1.1.8", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/database.yml HTTP\/1.1", "request_sample": "GET \/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 SeaMonkey\/1.1.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "11873f3ae8e6d44a73a7c9f02abb98acf45d2cc0", "protocol_details": { "http_method": "GET", "http_path": "\/database.yml", "request_line": "GET \/database.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 SeaMonkey\/1.1.8", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/database.yml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/database.yml", "request_line": "GET \/database.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080303 SeaMonkey\/1.1.8", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/database.yml", "evidence_snippet": "GET \/database.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.12) Gecko\/20080", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /db.json	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /db.json UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /db.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /db.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /db.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240&Win32 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /db.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, l Requête brute (extrait) GET /db.json HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240&Win32 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "b0364640299db33f8404b11696d99381bae30e58", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "47618fdbcf9ecf5f0f0b812f27dd0a99e70be33b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 262, "payload_entropy": 5.434644242023713, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "47fb5989d86ea6673a63e602b3f38057ca38b29a", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7236346f5c04ebdd8f79152ee3fb55b6", "payload_hash": "1fc54d03e179b76a09ea3a44bad56de9", "path_pattern_hash": "d53ec0e591dd049d89b7330804ee0a04" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/db.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, l", "method": "GET", "path": "\/db.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240&Win32", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/db.json HTTP\/1.1", "request_sample": "GET \/db.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240&Win32\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/db.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, l", "evidence": { "method": "GET", "path": "\/db.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240&Win32", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/db.json HTTP\/1.1", "request_sample": "GET \/db.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240&Win32\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/db.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, l", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d0c8ec62a6d2d13ebc1c1ef45627e8441992466d", "protocol_details": { "http_method": "GET", "http_path": "\/db.json", "request_line": "GET \/db.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edg\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/db.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, l", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/db.json", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/db.json", "request_line": "GET \/db.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edg\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/db.json", "evidence_snippet": "GET \/db.json HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, l", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → 3K9*	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole V3X& 3K9* JA3 19e29534fd49dd27 Émulateur HTTP WAF 0 Recommandation Investiguer Tags http_no_ua net_flood net_slowloris Cible HTTP V3X& 3K9* TLS SNI — Capteur paris-1
Preuve / Evidence Méthode V3X& Port 8080 Chemin / cible 3K9* Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 51 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ Ligne de requête `V3X& 3K9* HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) ��V��3X&�� 3K9��* F5�#�J�d ��TZ�CaR7Ydqs -�}T~�.�� &�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��V��3X&�� 3K9��* F5�#�J�d � �TZ�CaR7Ydqs -�}T~�.�� &�+�/�,�0̨̩� �� /5� w �+3&$ o50��l��cO�{��Zd�k޷0g]oy�E Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 0, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "0371409b9251e58c5e986277a7a3aa37d2ebacf7", "http_referer_hash": null, "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003V\u00043X&", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 239, "payload_entropy": 5.72750082459102, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 8, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5f9217dc41d7e020be5cfe6a650da409c7f9f55c", "event_fingerprint": "55ae4b235ea15a36abce6223f64b839057f2bdec", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4d903f6ba777d0e7994c5167741718f0", "path_pattern_hash": "0e4d4e2906f8b171081c409e1384b95f", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003V\u00043X&", "path": "3\u0000K\u001a9\u0014", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003V\u00043X& 3\u0000K\u001a9\u0014* HTTP\/1.1", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003V\u0004\ufffd\ufffd3X&\ufffd\ufffd\r3\u0000K\u001a9\ufffd\ufffd\u0014\ufffd\ufffd\nF5\u0006\ufffd\u0000#\ufffdJ\ufffdd \ufffd\u0017\f\ufffdTZ\ufffdC\u001eaR7Ydqs\n-\ufffd}T~\ufffd.\u0007\ufffd\u0003\ufffd\ufffd \u0003\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003V\u00043X&", "path": "3\u0000K\u001a9\u0014", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003V\u00043X& 3\u0000K\u001a9\u0014* HTTP\/1.1", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003V\u0004\ufffd\ufffd3X&\ufffd\ufffd\r3\u0000K\u001a9\ufffd\ufffd\u0014\ufffd\ufffd\nF5\u0006\ufffd\u0000#\ufffdJ\ufffdd \ufffd\u0017\f\ufffdTZ\ufffdC\u001eaR7Ydqs\n-\ufffd}T~\ufffd.\u0007\ufffd\u0003\ufffd\ufffd \u0003\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 o50\ufffd\ufffdl\ufffd\ufffd\ufffdcO\ufffd{\u0004\ufffd\ufffd\u0016Zd\ufffdk\u07b70g]oy\u0010\ufffdE", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003V\u0004\ufffd\ufffd3X&\ufffd\ufffd\r3\u0000K\u001a9\ufffd\ufffd\u0014\ufffd\ufffd\nF5\u0006\ufffd\u0000#\ufffdJ\ufffdd \ufffd\u0017\f\ufffdTZ\ufffdC\u001eaR7Ydqs\n-\ufffd}T~\ufffd.\u0007\ufffd\u0003\ufffd\ufffd \u0003\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bdc26090532c8d5d2d432aa143aef2e2ae79ed32", "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003V\u00043X&", "http_path": "3\u0000K\u001a9\u0014", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003V\u00043X& 3\u0000K\u001a9\u0014* HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "\ufffd\ufffdV\ufffd\ufffd3X&\ufffd\ufffd\r3K9\ufffd\ufffd\ufffd\ufffd\nF5\ufffd#\ufffdJ\ufffdd \ufffd\ufffdTZ\ufffdCaR7Ydqs\n-\ufffd}T~\ufffd.\ufffd\ufffd\ufffd \ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 3\u0000K\u001a9\u0014", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003V\u00043X&", "http_path": "3\u0000K\u001a9\u0014", "request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003V\u00043X& 3\u0000K\u001a9\u0014 HTTP\/1.1", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 3\u0000K\u001a9\u0014", "evidence_snippet": "\ufffd\ufffdV\ufffd\ufffd3X&\ufffd\ufffd\r3K9\ufffd\ufffd\ufffd\ufffd\nF5\ufffd#\ufffdJ\ufffdd \ufffd\ufffdTZ\ufffdCaR7Ydqs\n-\ufffd}T~\ufffd.\ufffd\ufffd\ufffd \ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_no_ua", "net_flood", "net_slowloris" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /parameters.yml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /parameters.yml UA Mozilla/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit/537.36… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /parameters.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /parameters.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /parameters.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /parameters.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit/537.36 Requête brute (extrait) GET /parameters.yml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "5020f35600b6259b6d55b9207d0c100adf7e374d", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "b85297805f4a1660bc0516b82d09c9064617a85f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.415373094810639, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71c1fd9456c801ce09ebb66dd0458b247e5ab609", "event_fingerprint": "831c9247414cf2762f876a3243b242b43991d280", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3dfd75f7c8d7d58ffed1219e5e3cb070", "payload_hash": "7a2d87b2a2b1956fd4c80e7c13e5701f", "path_pattern_hash": "1e232f78d9abb7f2c06811728fdfcb5d" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.36", "method": "GET", "path": "\/parameters.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/parameters.yml HTTP\/1.1", "request_sample": "GET \/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/parameters.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/parameters.yml HTTP\/1.1", "request_sample": "GET \/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "99785223442d3d8f976fb0fb87df89ff2e7dbbd0", "protocol_details": { "http_method": "GET", "http_path": "\/parameters.yml", "request_line": "GET \/parameters.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/parameters.yml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/parameters.yml", "request_line": "GET \/parameters.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/parameters.yml", "evidence_snippet": "GET \/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930V) AppleWebKit\/537.36", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 21:17:56 UTC	TCP	8080 · HTTP	http	Flood / DDoS http flood · via HTTP:8080 · (tentative d'exploit) · → /database.yaml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1499 TA0001 TA0002 Protocole GET /database.yaml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /database.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /database.yaml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /database.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 OPR/63.0.3368.35 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /database.yaml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH Requête brute (extrait) GET /database.yaml HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 OPR/63.0.3368.35 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "69f8e477a7195e8b368b08823d719009644c30d5", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "8f59d64dfe8714dd547b4f8e0c456236f926309b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 265, "payload_entropy": 5.436517846941442, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "HK", "dst_port": 8080, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9168e67c0239c315b6c53b47b1067183652c82b8", "event_fingerprint": "a0b3a9cfcc69f83344e07428e12ce729e9dc8d51", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "HK", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "25120665c6fc56e7b34ba104ed7d0ede", "payload_hash": "34e926a1a9ecccd117163ceeaa237fcb", "path_pattern_hash": "67978f470de052926073ab795a08f418" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/database.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/database.yaml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36 OPR\/63.0.3368.35", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/database.yaml HTTP\/1.1", "request_sample": "GET \/database.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36 OPR\/63.0.3368.35\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/database.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/database.yaml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36 OPR\/63.0.3368.35", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/database.yaml HTTP\/1.1", "request_sample": "GET \/database.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36 OPR\/63.0.3368.35\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/database.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "33484d079067e2172b35782c63e46dc8b3e826b2", "protocol_details": { "http_method": "GET", "http_path": "\/database.yaml", "request_line": "GET \/database.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36 OPR\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/database.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH", "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/database.yaml", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/database.yaml", "request_line": "GET \/database.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36 OPR\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/database.yaml", "evidence_snippet": "GET \/database.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }

35.220.230.19

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence