14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /.env.template
Élevée
Moyen · 49
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /.env.template UA wii libnup/1.0
Émulateur
HTTP
WAF
8
Recommandation
Surveiller
Tags
950514:leak-1
http_backup_file_scan
http_sensitive_path
net_web_probe
Cible HTTP
GET
/.env.template
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/.env.template
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « leak-1 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 49
Confiance : Confiance 100 % — Motif catalogue confirmé · 1 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
pat-0191
Upstream
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
Probe /.env
Ligne de requête
GET /.env.template HTTP/1.1
User-Agent
wii libnup/1.0
Règles WAF
leak-1
Payload (extrait)
GET /.env.template HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: wii libnup/1.0
Accept-Charset: utf-8
Accept-Encoding: gzip
Co
Requête brute (extrait)
GET /.env.template HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: wii libnup/1.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "template",
"http_ua_hash": "3f4e5c87c193872106cfbb5d90285db4df3fe4ed",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "edccaea3bbb1eaacbff6973ad5f703ae60c1ddc1",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.064450662849024,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 40,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 40,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 49,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "8652fb31413054822d8a141db2b65f8ae7b7e389",
"event_fingerprint": "32cd89e435f5e001ff5260548c07f66a7166916c",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab leak-1 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 240,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream"
],
"matched_patterns": [
"pat-0191"
],
"matched_pattern_names": [
"Probe \/.env"
],
"pattern_ids": [
"pat-0191"
],
"confidence_breakdown": {
"waf": 40,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 49,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "06587e20115dae1320821738f5e73854",
"payload_hash": "6273bf1b5f992c70056c0d05d5623bb8",
"path_pattern_hash": "6f72c17e203141284a34bb73c6ef5765"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 49
},
"payload_preview": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: wii libnup\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo",
"method": "GET",
"path": "\/.env.template",
"user_agent": "wii libnup\/1.0",
"waf_tags": [
"950514:leak-1"
],
"waf_rule_names": [
"leak-1"
],
"request_line": "GET \/.env.template HTTP\/1.1",
"request_sample": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: wii libnup\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: wii libnup\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo",
"evidence": {
"method": "GET",
"path": "\/.env.template",
"user_agent": "wii libnup\/1.0",
"waf_tags": [
"950514:leak-1"
],
"waf_rule_names": [
"leak-1"
],
"request_line": "GET \/.env.template HTTP\/1.1",
"request_sample": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: wii libnup\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: wii libnup\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab leak-1 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f258b804766ef3aad7cf6595bfe4c6e293d1e0fc",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.template",
"request_line": "GET \/.env.template HTTP\/1.1",
"http_user_agent": "wii libnup\/1.0",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: wii libnup\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.template",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 1 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab leak-1 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab leak-1 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 40,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 49,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 49,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"pat-0191",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.template",
"request_line": "GET \/.env.template HTTP\/1.1",
"http_user_agent": "wii libnup\/1.0",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.template",
"evidence_snippet": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: wii libnup\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 1 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 40 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
�����������r�L�j���-��&!0�Z�£e�R�Ҝh��L��� �i ���f��l���#��/H\�Z����4�8(�?�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������r�L�j���-��&!0�Z�£e�R�Ҝh��L��� �i
���f��l���#��/H\�Z����4�8(�?�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������r�L�j���-��&!0�Z�£e�R�Ҝh��L��� �i ���f��l���#��/H\�Z����4�8(�?�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ����6:��x������kH�+��� ����y
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.841007143867788,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "fc06c824df4a804d476b0e89a599ce8d4ad2c0c4",
"event_fingerprint": "73de1024b23993e40693db328fc9a5b5266e5167",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "bc6650739c6351c756ac6da607050418",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003r\ufffdL\ufffdj\ufffd\ufffd\u001e-\ufffd\u001b&!0\ufffdZ\ufffd\u00a3e\u001eR\ufffd\u049ch\b\ufffdL\u000e\ufffd\ufffd \ufffdi\n\ufffd\ufffd\u001bf\u0000\ufffdl\u001e\ufffd\ufffd#\u001c\ufffd\/H\\\ufffdZ\ufffd\ufffd\u0018\u00004\ufffd8(\ufffd?\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003r\ufffdL\ufffdj\ufffd\ufffd\u001e-\ufffd\u001b&!0\ufffdZ\ufffd\u00a3e\u001eR\ufffd\u049ch\b\ufffdL\u000e\ufffd\ufffd \ufffdi\n\ufffd\ufffd\u001bf\u0000\ufffdl\u001e\ufffd\ufffd#\u001c\ufffd\/H\\\ufffdZ\ufffd\ufffd\u0018\u00004\ufffd8(\ufffd?\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\ufffd6:\ufffd\ufffdx\u000f\ufffd\ufffd\ufffd\ufffd\u000ekH\ufffd+\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\u0003\u07bdy",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003r\ufffdL\ufffdj\ufffd\ufffd\u001e-\ufffd\u001b&!0\ufffdZ\ufffd\u00a3e\u001eR\ufffd\u049ch\b\ufffdL\u000e\ufffd\ufffd \ufffdi\n\ufffd\ufffd\u001bf\u0000\ufffdl\u001e\ufffd\ufffd#\u001c\ufffd\/H\\\ufffdZ\ufffd\ufffd\u0018\u00004\ufffd8(\ufffd?\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e4fcd1a5172824bdd3a52fed6a26a81d19955f35",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003r\ufffdL\ufffdj\ufffd\ufffd\u001e-\ufffd\u001b&!0\ufffdZ\ufffd\u00a3e\u001eR\ufffd\u049ch\b\ufffdL\u000e\ufffd\ufffd \ufffdi\n\ufffd\ufffd\u001bf\u0000\ufffdl\u001e\ufffd\ufffd#\u001c\ufffd\/H\\\ufffdZ\ufffd\ufffd\u0018\u00004\ufffd8(\ufffd?\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffdr\ufffdL\ufffdj\ufffd\ufffd-\ufffd&!0\ufffdZ\ufffd\u00a3eR\ufffd\u049ch\ufffdL\ufffd\ufffd \ufffdi\n\ufffd\ufffdf\ufffdl\ufffd\ufffd#\ufffd\/H\\\ufffdZ\ufffd\ufffd4\ufffd8(\ufffd?&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003r\ufffdL\ufffdj\ufffd\ufffd\u001e-\ufffd\u001b&!0\ufffdZ\ufffd\u00a3e\u001eR\ufffd\u049ch\b\ufffdL\u000e\ufffd\ufffd \ufffdi\n\ufffd\ufffd\u001bf\u0000\ufffdl\u001e\ufffd\ufffd#\u001c\ufffd\/H\\\ufffdZ\ufffd\ufffd\u0018\u00004\ufffd8(\ufffd?\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdr\ufffdL\ufffdj\ufffd\ufffd-\ufffd&!0\ufffdZ\ufffd\u00a3eR\ufffd\u049ch\ufffdL\ufffd\ufffd \ufffdi\n\ufffd\ufffdf\ufffdl\ufffd\ufffd#\ufffd\/H\\\ufffdZ\ufffd\ufffd4\ufffd8(\ufffd?&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
�����������c����������T���x���� 7��!P��ЋE� ��k1'!��jtC�V�0�T��U�at���'��5�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������c����������T���x�����7��!P��ЋE� ���k1'!��jtC�V�0�T��U�at���'��5�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������c����������T���x���� 7��!P��ЋE� ��k1'!��jtC�V�0�T��U�at���'��5�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��&���� M��˃�O���1t"������֨�v)
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.84185255353324,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "fc06c824df4a804d476b0e89a599ce8d4ad2c0c4",
"event_fingerprint": "73de1024b23993e40693db328fc9a5b5266e5167",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "399db7341c48af15a59b9960a9078209",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c\u0019\ufffd\u0012\u000f\ufffd\u001d\ufffd\ufffd\ufffd\ufffdT\u0003\ufffd\ufffdx\u0016\ufffd\u001d\ufffd\f7\ufffd\ufffd!P\ufffd\u0004\u040bE\ufffd \f\ufffd\ufffdk1'!\ufffd\u0007jtC\ufffdV\ufffd0\ufffdT\ufffd\u001cU\ufffdat\ufffd\ufffd\ufffd'\ufffd\ufffd5\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c\u0019\ufffd\u0012\u000f\ufffd\u001d\ufffd\ufffd\ufffd\ufffdT\u0003\ufffd\ufffdx\u0016\ufffd\u001d\ufffd\f7\ufffd\ufffd!P\ufffd\u0004\u040bE\ufffd \f\ufffd\ufffdk1'!\ufffd\u0007jtC\ufffdV\ufffd0\ufffdT\ufffd\u001cU\ufffdat\ufffd\ufffd\ufffd'\ufffd\ufffd5\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd&\ufffd\ufffd\ufffd\ufffd\fM\ufffd\b\u02c3\ufffdO\ufffd\ufffd\ufffd1t\"\ufffd\ufffd\ufffd\ufffd\u001a\ufffd\u05a8\ufffdv)",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c\u0019\ufffd\u0012\u000f\ufffd\u001d\ufffd\ufffd\ufffd\ufffdT\u0003\ufffd\ufffdx\u0016\ufffd\u001d\ufffd\f7\ufffd\ufffd!P\ufffd\u0004\u040bE\ufffd \f\ufffd\ufffdk1'!\ufffd\u0007jtC\ufffdV\ufffd0\ufffdT\ufffd\u001cU\ufffdat\ufffd\ufffd\ufffd'\ufffd\ufffd5\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e6c3f6522b5c78df93c68ea4f3e037217de9bbbb",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c\u0019\ufffd\u0012\u000f\ufffd\u001d\ufffd\ufffd\ufffd\ufffdT\u0003\ufffd\ufffdx\u0016\ufffd\u001d\ufffd\f7\ufffd\ufffd!P\ufffd\u0004\u040bE\ufffd \f\ufffd\ufffdk1'!\ufffd\u0007jtC\ufffdV\ufffd0\ufffdT\ufffd\u001cU\ufffdat\ufffd\ufffd\ufffd'\ufffd\ufffd5\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdT\ufffd\ufffdx\ufffd\ufffd7\ufffd\ufffd!P\ufffd\u040bE\ufffd \ufffd\ufffdk1'!\ufffdjtC\ufffdV\ufffd0\ufffdT\ufffdU\ufffdat\ufffd\ufffd\ufffd'\ufffd\ufffd5&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c\u0019\ufffd\u0012\u000f\ufffd\u001d\ufffd\ufffd\ufffd\ufffdT\u0003\ufffd\ufffdx\u0016\ufffd\u001d\ufffd\f7\ufffd\ufffd!P\ufffd\u0004\u040bE\ufffd \f\ufffd\ufffdk1'!\ufffd\u0007jtC\ufffdV\ufffd0\ufffdT\ufffd\u001cU\ufffdat\ufffd\ufffd\ufffd'\ufffd\ufffd5\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdT\ufffd\ufffdx\ufffd\ufffd7\ufffd\ufffd!P\ufffd\u040bE\ufffd \ufffd\ufffdk1'!\ufffdjtC\ufffdV\ufffd0\ufffdT\ufffdU\ufffdat\ufffd\ufffd\ufffd'\ufffd\ufffd5&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
�����������D���}��� G���9�� r2�;:��]������ p�"o�ۈ����7�<����xm�6jC�FF'pQ�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������D���}���
G���9�� r2�;:��]������ p�"o�ۈ����7�<����xm�6jC�FF'pQ�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������D���}��� G���9�� r2�;:��]������ p�"o�ۈ����7�<����xm�6jC�FF'pQ�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �_Q�˥W]��sl��b��F O�����x�K_�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.794503406494776,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "fc06c824df4a804d476b0e89a599ce8d4ad2c0c4",
"event_fingerprint": "73de1024b23993e40693db328fc9a5b5266e5167",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "969689d3b79160fc6d9531fec319009a",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003D\ufffd\ufffd\ufffd}\ufffd\ufffd\ufffd\nG\ufffd\ufffd\u001a9\u000f\u001b r2\ufffd;:\u001d\ufffd]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd p\ufffd\"o\ufffd\u06c8\ufffd\u0010\ufffd\ufffd7\ufffd<\ufffd\u008e\u0004\ufffd\ufffdxm\ufffd6jC\u001aFF'pQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003D\ufffd\ufffd\ufffd}\ufffd\ufffd\ufffd\nG\ufffd\ufffd\u001a9\u000f\u001b r2\ufffd;:\u001d\ufffd]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd p\ufffd\"o\ufffd\u06c8\ufffd\u0010\ufffd\ufffd7\ufffd<\ufffd\u008e\u0004\ufffd\ufffdxm\ufffd6jC\u001aFF'pQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd_Q\u0003\u02e5W]\u0018\bsl\ufffd\ufffdb\ufffd\ufffdF\fO\ufffd\u0000\ufffd\u000e\ufffdx\u001dK_\u0013",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003D\ufffd\ufffd\ufffd}\ufffd\ufffd\ufffd\nG\ufffd\ufffd\u001a9\u000f\u001b r2\ufffd;:\u001d\ufffd]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd p\ufffd\"o\ufffd\u06c8\ufffd\u0010\ufffd\ufffd7\ufffd<\ufffd\u008e\u0004\ufffd\ufffdxm\ufffd6jC\u001aFF'pQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "71b284b1edfc26aa414b099bfaa205b8b39be349",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003D\ufffd\ufffd\ufffd}\ufffd\ufffd\ufffd\nG\ufffd\ufffd\u001a9\u000f\u001b r2\ufffd;:\u001d\ufffd]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd p\ufffd\"o\ufffd\u06c8\ufffd\u0010\ufffd\ufffd7\ufffd<\ufffd\u008e\u0004\ufffd\ufffdxm\ufffd6jC\u001aFF'pQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffdD\ufffd\ufffd\ufffd}\ufffd\ufffd\ufffd\nG\ufffd\ufffd9 r2\ufffd;:\ufffd]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd p\ufffd\"o\ufffd\u06c8\ufffd\ufffd\ufffd7\ufffd<\ufffd\u008e\ufffd\ufffdxm\ufffd6jCFF'pQ&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003D\ufffd\ufffd\ufffd}\ufffd\ufffd\ufffd\nG\ufffd\ufffd\u001a9\u000f\u001b r2\ufffd;:\u001d\ufffd]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd p\ufffd\"o\ufffd\u06c8\ufffd\u0010\ufffd\ufffd7\ufffd<\ufffd\u008e\u0004\ufffd\ufffdxm\ufffd6jC\u001aFF'pQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdD\ufffd\ufffd\ufffd}\ufffd\ufffd\ufffd\nG\ufffd\ufffd9 r2\ufffd;:\ufffd]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd p\ufffd\"o\ufffd\u06c8\ufffd\ufffd\ufffd7\ufffd<\ufffd\u008e\ufffd\ufffdxm\ufffd6jCFF'pQ&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
�������������Sg�Y����F$89���7nG�Le;vf*��>� ��ѥ����h��|��̱�,���Y�e��TFʁ���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������Sg�Y����F$89���7nG�Le;vf*��>�� ��ѥ����h��|��̱�,���Y�e��TFʁ���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������Sg�Y����F$89���7nG�Le;vf*��>� ��ѥ����h��|��̱�,���Y�e��TFʁ���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���nA����z�S{��?�i��O�i=���.&p
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.913686589575207,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "fc06c824df4a804d476b0e89a599ce8d4ad2c0c4",
"event_fingerprint": "73de1024b23993e40693db328fc9a5b5266e5167",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "49d8c0344bf263eea17cad0e924b223d",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdSg\ufffdY\ufffd\ufffd\ufffd\u0005F$89\u0011\ufffd\ufffd7nG\ufffdLe;vf*\ufffd\ufffd>\ufffd\f \ufffd\ufffd\u0465\ufffd\ufffd\ufffd\ufffdh\u0019\ufffd|\ufffd\ufffd\u0331\ufffd,\ufffd\ufffd\ufffdY\ufffde\ufffd\ufffdTF\u0281\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdSg\ufffdY\ufffd\ufffd\ufffd\u0005F$89\u0011\ufffd\ufffd7nG\ufffdLe;vf*\ufffd\ufffd>\ufffd\f \ufffd\ufffd\u0465\ufffd\ufffd\ufffd\ufffdh\u0019\ufffd|\ufffd\ufffd\u0331\ufffd,\ufffd\ufffd\ufffdY\ufffde\ufffd\ufffdTF\u0281\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffdnA\ufffd\ufffd\ufffd\ufffdz\ufffdS{\ufffd\ufffd?\ufffdi\ufffd\ufffdO\ufffdi=\ufffd\u0003\ufffd.&p",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdSg\ufffdY\ufffd\ufffd\ufffd\u0005F$89\u0011\ufffd\ufffd7nG\ufffdLe;vf*\ufffd\ufffd>\ufffd\f \ufffd\ufffd\u0465\ufffd\ufffd\ufffd\ufffdh\u0019\ufffd|\ufffd\ufffd\u0331\ufffd,\ufffd\ufffd\ufffdY\ufffde\ufffd\ufffdTF\u0281\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "25bc99c270b4eda6cfee8e83a85315e8a53828ab",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdSg\ufffdY\ufffd\ufffd\ufffd\u0005F$89\u0011\ufffd\ufffd7nG\ufffdLe;vf*\ufffd\ufffd>\ufffd\f \ufffd\ufffd\u0465\ufffd\ufffd\ufffd\ufffdh\u0019\ufffd|\ufffd\ufffd\u0331\ufffd,\ufffd\ufffd\ufffdY\ufffde\ufffd\ufffdTF\u0281\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdSg\ufffdY\ufffd\ufffd\ufffdF$89\ufffd\ufffd7nG\ufffdLe;vf*\ufffd\ufffd>\ufffd \ufffd\ufffd\u0465\ufffd\ufffd\ufffd\ufffdh\ufffd|\ufffd\ufffd\u0331\ufffd,\ufffd\ufffd\ufffdY\ufffde\ufffd\ufffdTF\u0281\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdSg\ufffdY\ufffd\ufffd\ufffd\u0005F$89\u0011\ufffd\ufffd7nG\ufffdLe;vf*\ufffd\ufffd>\ufffd\f \ufffd\ufffd\u0465\ufffd\ufffd\ufffd\ufffdh\u0019\ufffd|\ufffd\ufffd\u0331\ufffd,\ufffd\ufffd\ufffdY\ufffde\ufffd\ufffdTF\u0281\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdSg\ufffdY\ufffd\ufffd\ufffdF$89\ufffd\ufffd7nG\ufffdLe;vf*\ufffd\ufffd>\ufffd \ufffd\ufffd\u0465\ufffd\ufffd\ufffd\ufffdh\ufffd|\ufffd\ufffd\u0331\ufffd,\ufffd\ufffd\ufffdY\ufffde\ufffd\ufffdTF\u0281\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
��������������^�;kO���z�s����9��ٱ�D������ �y#����8 ݁�D�Ŧ!Z���c�=���q<��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������^�;kO���z�s����9��ٱ�D������ �y#����8 ݁�D�Ŧ!Z���c�=���q<��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������^�;kO���z�s����9��ٱ�D������ �y#����8 ݁�D�Ŧ!Z���c�=���q<��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��.U�$%ܛ�����1p/<� �f������~��5
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.922144101401733,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "fc06c824df4a804d476b0e89a599ce8d4ad2c0c4",
"event_fingerprint": "73de1024b23993e40693db328fc9a5b5266e5167",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2250769bf7bfa7b5d01e9a401c1d5fe1",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd^\ufffd;kO\ufffd\ufffd\ufffdz\ufffds\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\u0671\ufffdD\ufffd\ufffd\ufffd\ufffd\u0001\ufffd \ufffdy#\ufffd\ufffd\ufffd\ufffd8 \u0741\ufffdD\u0007\u0166!Z\u0010\ufffd\ufffdc\ufffd=\ufffd\ufffd\u0015q<\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd^\ufffd;kO\ufffd\ufffd\ufffdz\ufffds\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\u0671\ufffdD\ufffd\ufffd\ufffd\ufffd\u0001\ufffd \ufffdy#\ufffd\ufffd\ufffd\ufffd8 \u0741\ufffdD\u0007\u0166!Z\u0010\ufffd\ufffdc\ufffd=\ufffd\ufffd\u0015q<\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd.U\ufffd$%\u071b\u000e\ufffd\ufffd\ufffd\ufffd1p\/<\ufffd\t\ufffdf\ufffd\ufffd\ufffd\ufffd\u0016\ufffd~\ufffd\ufffd5",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd^\ufffd;kO\ufffd\ufffd\ufffdz\ufffds\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\u0671\ufffdD\ufffd\ufffd\ufffd\ufffd\u0001\ufffd \ufffdy#\ufffd\ufffd\ufffd\ufffd8 \u0741\ufffdD\u0007\u0166!Z\u0010\ufffd\ufffdc\ufffd=\ufffd\ufffd\u0015q<\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "14502808ba9298b2a0dd96206dbff54af6d8d398",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd^\ufffd;kO\ufffd\ufffd\ufffdz\ufffds\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\u0671\ufffdD\ufffd\ufffd\ufffd\ufffd\u0001\ufffd \ufffdy#\ufffd\ufffd\ufffd\ufffd8 \u0741\ufffdD\u0007\u0166!Z\u0010\ufffd\ufffdc\ufffd=\ufffd\ufffd\u0015q<\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffd;kO\ufffd\ufffd\ufffdz\ufffds\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\u0671\ufffdD\ufffd\ufffd\ufffd\ufffd\ufffd \ufffdy#\ufffd\ufffd\ufffd\ufffd8 \u0741\ufffdD\u0166!Z\ufffd\ufffdc\ufffd=\ufffd\ufffdq<\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd^\ufffd;kO\ufffd\ufffd\ufffdz\ufffds\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\u0671\ufffdD\ufffd\ufffd\ufffd\ufffd\u0001\ufffd \ufffdy#\ufffd\ufffd\ufffd\ufffd8 \u0741\ufffdD\u0007\u0166!Z\u0010\ufffd\ufffdc\ufffd=\ufffd\ufffd\u0015q<\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffd;kO\ufffd\ufffd\ufffdz\ufffds\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\u0671\ufffdD\ufffd\ufffd\ufffd\ufffd\ufffd \ufffdy#\ufffd\ufffd\ufffd\ufffd8 \u0741\ufffdD\u0166!Z\ufffd\ufffdc\ufffd=\ufffd\ufffdq<\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
�����������(��J��-�2Ӌ�QfK��y��.�S+\#R�Ih }�R~N������x5J�p��86�)���A*1��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������(��J��-�2Ӌ�QfK��y��.�S+\#R�Ih }�R~N������x5J�p��86�)���A*1��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������(��J��-�2Ӌ�QfK��y��.�S+\#R�Ih }�R~N������x5J�p��86�)���A*1��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �6^�ߵ���*����l���e��h��������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.845316370440187,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "fc06c824df4a804d476b0e89a599ce8d4ad2c0c4",
"event_fingerprint": "73de1024b23993e40693db328fc9a5b5266e5167",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "901827a8254c2a719453233eebd3dedb",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003(\ufffd\ufffdJ\u0017\ufffd-\ufffd2\u04cb\u0006QfK\u000e\ufffdy\ufffd\ufffd.\ufffdS+\\#R\ufffdIh }\ufffdR~\u0558N\ufffd\ufffd\u0011\ufffd\ufffd\u0001x5J\ufffdp\ufffd\ufffd86\ufffd)\ufffd\ufffd\ufffdA*1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003(\ufffd\ufffdJ\u0017\ufffd-\ufffd2\u04cb\u0006QfK\u000e\ufffdy\ufffd\ufffd.\ufffdS+\\#R\ufffdIh }\ufffdR~\u0558N\ufffd\ufffd\u0011\ufffd\ufffd\u0001x5J\ufffdp\ufffd\ufffd86\ufffd)\ufffd\ufffd\ufffdA*1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd6^\ufffd\u07f5\u0016\ufffd\u0018*\u001d\u0004\u0000\u000fl\u0002\ufffd\ufffde\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\t",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003(\ufffd\ufffdJ\u0017\ufffd-\ufffd2\u04cb\u0006QfK\u000e\ufffdy\ufffd\ufffd.\ufffdS+\\#R\ufffdIh }\ufffdR~\u0558N\ufffd\ufffd\u0011\ufffd\ufffd\u0001x5J\ufffdp\ufffd\ufffd86\ufffd)\ufffd\ufffd\ufffdA*1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c81f49e75be022c0fee87200077c29fc38553c09",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003(\ufffd\ufffdJ\u0017\ufffd-\ufffd2\u04cb\u0006QfK\u000e\ufffdy\ufffd\ufffd.\ufffdS+\\#R\ufffdIh }\ufffdR~\u0558N\ufffd\ufffd\u0011\ufffd\ufffd\u0001x5J\ufffdp\ufffd\ufffd86\ufffd)\ufffd\ufffd\ufffdA*1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffd(\ufffd\ufffdJ\ufffd-\ufffd2\u04cbQfK\ufffdy\ufffd\ufffd.\ufffdS+\\#R\ufffdIh }\ufffdR~\u0558N\ufffd\ufffd\ufffd\ufffdx5J\ufffdp\ufffd\ufffd86\ufffd)\ufffd\ufffd\ufffdA*1\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003(\ufffd\ufffdJ\u0017\ufffd-\ufffd2\u04cb\u0006QfK\u000e\ufffdy\ufffd\ufffd.\ufffdS+\\#R\ufffdIh }\ufffdR~\u0558N\ufffd\ufffd\u0011\ufffd\ufffd\u0001x5J\ufffdp\ufffd\ufffd86\ufffd)\ufffd\ufffd\ufffdA*1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd(\ufffd\ufffdJ\ufffd-\ufffd2\u04cbQfK\ufffdy\ufffd\ufffd.\ufffdS+\\#R\ufffdIh }\ufffdR~\u0558N\ufffd\ufffd\ufffd\ufffdx5J\ufffdp\ufffd\ufffd86\ufffd)\ufffd\ufffd\ufffdA*1\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
�������������2��|�ংX����?X)��,E�"�U�V���> ��o����唶��� Yt� ��m��:������w�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������2��|�ংX����?X)��,E�"�U�V���> ��o����唶����Yt�
��m��:������w�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������2��|�ংX����?X)��,E�"�U�V���> ��o����唶��� Yt� ��m��:������w�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� H%��~m��f�brK- ��"J- %._������K
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.835690196294859,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "fc06c824df4a804d476b0e89a599ce8d4ad2c0c4",
"event_fingerprint": "73de1024b23993e40693db328fc9a5b5266e5167",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d1a791a4f719476650366eca428a3e1e",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001c\ufffd2\u001e\ufffd|\ufffd\u0982X\ufffd\ufffd\ufffd\u0019?X)\ufffd\ufffd,E\ufffd\"\u0010U\ufffdV\ufffd\u001c\ufffd> \ufffd\u000eo\ufffd\ufffd\ufffd\ufffd\u5536\ufffd\u001b\ufffd\u000bYt\u0005\n\ufffd\ufffdm\u000e\ufffd:\ufffd\ufffd\u0000\ufffd\ufffd\ufffdw\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001c\ufffd2\u001e\ufffd|\ufffd\u0982X\ufffd\ufffd\ufffd\u0019?X)\ufffd\ufffd,E\ufffd\"\u0010U\ufffdV\ufffd\u001c\ufffd> \ufffd\u000eo\ufffd\ufffd\ufffd\ufffd\u5536\ufffd\u001b\ufffd\u000bYt\u0005\n\ufffd\ufffdm\u000e\ufffd:\ufffd\ufffd\u0000\ufffd\ufffd\ufffdw\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 H%\ufffd\ufffd~m\ufffd\ufffdf\ufffdbrK-\n\ufffd\ufffd\"J-\t%._\ufffd\ufffd\u0019\ufffd\u0016\ufffdK",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001c\ufffd2\u001e\ufffd|\ufffd\u0982X\ufffd\ufffd\ufffd\u0019?X)\ufffd\ufffd,E\ufffd\"\u0010U\ufffdV\ufffd\u001c\ufffd> \ufffd\u000eo\ufffd\ufffd\ufffd\ufffd\u5536\ufffd\u001b\ufffd\u000bYt\u0005\n\ufffd\ufffdm\u000e\ufffd:\ufffd\ufffd\u0000\ufffd\ufffd\ufffdw\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7f8750b77e1f82c34f1848190109c542ded43f0f",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001c\ufffd2\u001e\ufffd|\ufffd\u0982X\ufffd\ufffd\ufffd\u0019?X)\ufffd\ufffd,E\ufffd\"\u0010U\ufffdV\ufffd\u001c\ufffd> \ufffd\u000eo\ufffd\ufffd\ufffd\ufffd\u5536\ufffd\u001b\ufffd\u000bYt\u0005\n\ufffd\ufffdm\u000e\ufffd:\ufffd\ufffd\u0000\ufffd\ufffd\ufffdw\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffd\ufffd2\ufffd|\ufffd\u0982X\ufffd\ufffd\ufffd?X)\ufffd\ufffd,E\ufffd\"U\ufffdV\ufffd\ufffd> \ufffdo\ufffd\ufffd\ufffd\ufffd\u5536\ufffd\ufffdYt\n\ufffd\ufffdm\ufffd:\ufffd\ufffd\ufffd\ufffd\ufffdw&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001c\ufffd2\u001e\ufffd|\ufffd\u0982X\ufffd\ufffd\ufffd\u0019?X)\ufffd\ufffd,E\ufffd\"\u0010U\ufffdV\ufffd\u001c\ufffd> \ufffd\u000eo\ufffd\ufffd\ufffd\ufffd\u5536\ufffd\u001b\ufffd\u000bYt\u0005\n\ufffd\ufffdm\u000e\ufffd:\ufffd\ufffd\u0000\ufffd\ufffd\ufffdw\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd2\ufffd|\ufffd\u0982X\ufffd\ufffd\ufffd?X)\ufffd\ufffd,E\ufffd\"U\ufffdV\ufffd\ufffd> \ufffdo\ufffd\ufffd\ufffd\ufffd\u5536\ufffd\ufffdYt\n\ufffd\ufffdm\ufffd:\ufffd\ufffd\ufffd\ufffd\ufffdw&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
�������������*��?t��q�@̏,�����D5��ukJH�� � '碢9���鹾�E�� \3z}6ߑ��N���;�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������*��?t��q�@̏,�����D5��ukJH�� �
'碢9���鹾�E���\3z}6ߑ��N���;�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������*��?t��q�@̏,�����D5��ukJH�� � '碢9���鹾�E�� \3z}6ߑ��N���;�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� 1����������R�j��<�i����[�]�*ѕ}
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.915494972443533,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "fc06c824df4a804d476b0e89a599ce8d4ad2c0c4",
"event_fingerprint": "73de1024b23993e40693db328fc9a5b5266e5167",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "e931dc23b303110c21e50394a6ea8f2a",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd*\ufffd\ufffd?t\u001e\ufffdq\u001c@\u030f,\ufffd\ufffd\u0010\ufffd\ufffdD5\ufffd\ufffdukJH\u0003\ufffd \ufffd\n'\u78a29\u000e\ufffd\ufffd\u9e7e\ufffdE\u000f\ufffd\u000b\\3z}6\u07d1\u0013\ufffdN\ufffd\ufffd\ufffd;\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd*\ufffd\ufffd?t\u001e\ufffdq\u001c@\u030f,\ufffd\ufffd\u0010\ufffd\ufffdD5\ufffd\ufffdukJH\u0003\ufffd \ufffd\n'\u78a29\u000e\ufffd\ufffd\u9e7e\ufffdE\u000f\ufffd\u000b\\3z}6\u07d1\u0013\ufffdN\ufffd\ufffd\ufffd;\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 1\u001a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0006\u001bR\ufffdj\ufffd\ufffd<\ufffdi\ufffd\u001f\ufffd\u001a[\ufffd]\ufffd*\u0455}",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd*\ufffd\ufffd?t\u001e\ufffdq\u001c@\u030f,\ufffd\ufffd\u0010\ufffd\ufffdD5\ufffd\ufffdukJH\u0003\ufffd \ufffd\n'\u78a29\u000e\ufffd\ufffd\u9e7e\ufffdE\u000f\ufffd\u000b\\3z}6\u07d1\u0013\ufffdN\ufffd\ufffd\ufffd;\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3426630a6472f603150bff103fc85c8ed1bbb737",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd*\ufffd\ufffd?t\u001e\ufffdq\u001c@\u030f,\ufffd\ufffd\u0010\ufffd\ufffdD5\ufffd\ufffdukJH\u0003\ufffd \ufffd\n'\u78a29\u000e\ufffd\ufffd\u9e7e\ufffdE\u000f\ufffd\u000b\\3z}6\u07d1\u0013\ufffdN\ufffd\ufffd\ufffd;\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd*\ufffd\ufffd?t\ufffdq@\u030f,\ufffd\ufffd\ufffd\ufffdD5\ufffd\ufffdukJH\ufffd \ufffd\n'\u78a29\ufffd\ufffd\u9e7e\ufffdE\ufffd\\3z}6\u07d1\ufffdN\ufffd\ufffd\ufffd;&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd*\ufffd\ufffd?t\u001e\ufffdq\u001c@\u030f,\ufffd\ufffd\u0010\ufffd\ufffdD5\ufffd\ufffdukJH\u0003\ufffd \ufffd\n'\u78a29\u000e\ufffd\ufffd\u9e7e\ufffdE\u000f\ufffd\u000b\\3z}6\u07d1\u0013\ufffdN\ufffd\ufffd\ufffd;\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd*\ufffd\ufffd?t\ufffdq@\u030f,\ufffd\ufffd\ufffd\ufffdD5\ufffd\ufffdukJH\ufffd \ufffd\n'\u78a29\ufffd\ufffd\u9e7e\ufffdE\ufffd\\3z}6\u07d1\ufffdN\ufffd\ufffd\ufffd;&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
����������� �ߎ�Z���K|0�Uȯ�g�l����7��?�r$� ����A�C�]O~���c���l5�~ � յ����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������ߎ�Z���K|0�Uȯ�g�l����7��?�r$� ����A�C�]O~���c���l5�~��
յ����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
����������� �ߎ�Z���K|0�Uȯ�g�l����7��?�r$� ����A�C�]O~���c���l5�~ � յ����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���H��㢄h��oZ�r0�1߿�j��W>��d
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.83790512808921,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "fc06c824df4a804d476b0e89a599ce8d4ad2c0c4",
"event_fingerprint": "73de1024b23993e40693db328fc9a5b5266e5167",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "e6f6682759303254b6940350b014663e",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\f\ufffd\u07ce\ufffdZ\ufffd\ufffd\u0012K|0\ufffdU\u022f\ufffdg\u0013l\ufffd\ufffd\ufffd\ufffd7\ufffd\ufffd?\ufffdr$\ufffd \ufffd\u001b\ufffd\ufffdA\ufffdC\ufffd]O~\u009f\ufffd\ufffd\ufffdc\ufffd\ufffd\u0017l5\ufffd~\u000b\ufffd\n\u0575\u001e\u0010\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\f\ufffd\u07ce\ufffdZ\ufffd\ufffd\u0012K|0\ufffdU\u022f\ufffdg\u0013l\ufffd\ufffd\ufffd\ufffd7\ufffd\ufffd?\ufffdr$\ufffd \ufffd\u001b\ufffd\ufffdA\ufffdC\ufffd]O~\u009f\ufffd\ufffd\ufffdc\ufffd\ufffd\u0017l5\ufffd~\u000b\ufffd\n\u0575\u001e\u0010\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffdH\ufffd\ufffd\u3884h\ufffd\ufffdoZ\ufffdr0\ufffd1\u07ff\ufffdj\u0016\ufffdW>\ufffd\ufffdd",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\f\ufffd\u07ce\ufffdZ\ufffd\ufffd\u0012K|0\ufffdU\u022f\ufffdg\u0013l\ufffd\ufffd\ufffd\ufffd7\ufffd\ufffd?\ufffdr$\ufffd \ufffd\u001b\ufffd\ufffdA\ufffdC\ufffd]O~\u009f\ufffd\ufffd\ufffdc\ufffd\ufffd\u0017l5\ufffd~\u000b\ufffd\n\u0575\u001e\u0010\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "33b8ce93aaf354390dfcd71c4b280788ed2aab62",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\f\ufffd\u07ce\ufffdZ\ufffd\ufffd\u0012K|0\ufffdU\u022f\ufffdg\u0013l\ufffd\ufffd\ufffd\ufffd7\ufffd\ufffd?\ufffdr$\ufffd \ufffd\u001b\ufffd\ufffdA\ufffdC\ufffd]O~\u009f\ufffd\ufffd\ufffdc\ufffd\ufffd\u0017l5\ufffd~\u000b\ufffd\n\u0575\u001e\u0010\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\u07ce\ufffdZ\ufffd\ufffdK|0\ufffdU\u022f\ufffdgl\ufffd\ufffd\ufffd\ufffd7\ufffd\ufffd?\ufffdr$\ufffd \ufffd\ufffd\ufffdA\ufffdC\ufffd]O~\u009f\ufffd\ufffd\ufffdc\ufffd\ufffdl5\ufffd~\ufffd\n\u0575\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\f\ufffd\u07ce\ufffdZ\ufffd\ufffd\u0012K|0\ufffdU\u022f\ufffdg\u0013l\ufffd\ufffd\ufffd\ufffd7\ufffd\ufffd?\ufffdr$\ufffd \ufffd\u001b\ufffd\ufffdA\ufffdC\ufffd]O~\u009f\ufffd\ufffd\ufffdc\ufffd\ufffd\u0017l5\ufffd~\u000b\ufffd\n\u0575\u001e\u0010\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\u07ce\ufffdZ\ufffd\ufffdK|0\ufffdU\u022f\ufffdgl\ufffd\ufffd\ufffd\ufffd7\ufffd\ufffd?\ufffdr$\ufffd \ufffd\ufffd\ufffdA\ufffdC\ufffd]O~\u009f\ufffd\ufffd\ufffdc\ufffd\ufffdl5\ufffd~\ufffd\n\u0575\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
������������Wݹ��!&3�L��Q@�о.�>ʎ���i��c�� �������ە��p����n��f����Iđ�r�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������Wݹ��!&3�L��Q@�о.�>ʎ���i��c�� �������ە��p����n��f����Iđ�r�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������Wݹ��!&3�L��Q@�о.�>ʎ���i��c�� �������ە��p����n��f����Iđ�r�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �n�����U ���$0�9RAO�<��Ɯ�PV:��!
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.92832203383999,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "fc06c824df4a804d476b0e89a599ce8d4ad2c0c4",
"event_fingerprint": "73de1024b23993e40693db328fc9a5b5266e5167",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b9341490d2d2cf2bb71bc1666654e6d6",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdW\u0779\ufffd\ufffd!&3\ufffdL\ufffd\ufffdQ@\ufffd\u043e.\ufffd>\u028e\ufffd\ufffd\ufffdi\ufffd\ufffdc\u0006\ufffd \ufffd\ufffd\ufffd\u0011\ufffd\u0010\ufffd\u06d5\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffdn\ufffd\u0019f\u000f\ufffd\u0002\ufffdI\u0111\ufffdr\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdW\u0779\ufffd\ufffd!&3\ufffdL\ufffd\ufffdQ@\ufffd\u043e.\ufffd>\u028e\ufffd\ufffd\ufffdi\ufffd\ufffdc\u0006\ufffd \ufffd\ufffd\ufffd\u0011\ufffd\u0010\ufffd\u06d5\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffdn\ufffd\u0019f\u000f\ufffd\u0002\ufffdI\u0111\ufffdr\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdn\ufffd\ufffd\u000e\ufffd\ufffdU\n\ufffd\ufffd\ufffd$0\ufffd9RAO\ufffd<\u001f\ufffd\u019c\u001bPV:\ufffd\b!",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdW\u0779\ufffd\ufffd!&3\ufffdL\ufffd\ufffdQ@\ufffd\u043e.\ufffd>\u028e\ufffd\ufffd\ufffdi\ufffd\ufffdc\u0006\ufffd \ufffd\ufffd\ufffd\u0011\ufffd\u0010\ufffd\u06d5\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffdn\ufffd\u0019f\u000f\ufffd\u0002\ufffdI\u0111\ufffdr\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "35d1c0d6afcc19958209ee3f624c2c4e2f5e1e5a",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdW\u0779\ufffd\ufffd!&3\ufffdL\ufffd\ufffdQ@\ufffd\u043e.\ufffd>\u028e\ufffd\ufffd\ufffdi\ufffd\ufffdc\u0006\ufffd \ufffd\ufffd\ufffd\u0011\ufffd\u0010\ufffd\u06d5\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffdn\ufffd\u0019f\u000f\ufffd\u0002\ufffdI\u0111\ufffdr\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffd\ufffdW\u0779\ufffd\ufffd!&3\ufffdL\ufffd\ufffdQ@\ufffd\u043e.\ufffd>\u028e\ufffd\ufffd\ufffdi\ufffd\ufffdc\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\u06d5\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffdn\ufffdf\ufffd\ufffdI\u0111\ufffdr&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdW\u0779\ufffd\ufffd!&3\ufffdL\ufffd\ufffdQ@\ufffd\u043e.\ufffd>\u028e\ufffd\ufffd\ufffdi\ufffd\ufffdc\u0006\ufffd \ufffd\ufffd\ufffd\u0011\ufffd\u0010\ufffd\u06d5\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffdn\ufffd\u0019f\u000f\ufffd\u0002\ufffdI\u0111\ufffdr\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffdW\u0779\ufffd\ufffd!&3\ufffdL\ufffd\ufffdQ@\ufffd\u043e.\ufffd>\u028e\ufffd\ufffd\ufffdi\ufffd\ufffdc\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\u06d5\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffdn\ufffdf\ufffd\ufffdI\u0111\ufffdr&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
������������B��X{H�����������s%I�����O�Xf�� �a������Z1\l�T��_����c)z�0�6����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������B��X{H�����������s%I�����O�Xf�� �a������Z1\l�T��_����c)z�0�6����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������B��X{H�����������s%I�����O�Xf�� �a������Z1\l�T��_����c)z�0�6����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �M@"3��9���b��ᕀK��^,�� ,�u�bIA
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.835879303669319,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.5,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 45,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "77ca43667d991e00677fe6e4b0b6a2dd2ad4c8c6",
"event_fingerprint": "fa281e43a1524838258f20bc7430f72a1b8654b1",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c076dfcd1022476cf0c2dbfdb9912182",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0012B\u001f\ufffdX{H\ufffd\u001f\ufffd\ufffd\u0015\u0005\ufffd\ufffd\ufffd\ufffd\ufffds%I\u0019\ufffd\ufffd\ufffd\ufffdO\ufffdXf\u0003\ufffd \ufffda\u0003\u001f\ufffd\ufffd\ufffd\ufffdZ1\\l\ufffdT\ufffd\ufffd_\u0015\ufffd\ufffd\u001ac)z\ufffd0\b6\ufffd\u0013\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0012B\u001f\ufffdX{H\ufffd\u001f\ufffd\ufffd\u0015\u0005\ufffd\ufffd\ufffd\ufffd\ufffds%I\u0019\ufffd\ufffd\ufffd\ufffdO\ufffdXf\u0003\ufffd \ufffda\u0003\u001f\ufffd\ufffd\ufffd\ufffdZ1\\l\ufffdT\ufffd\ufffd_\u0015\ufffd\ufffd\u001ac)z\ufffd0\b6\ufffd\u0013\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdM@\"3\ufffd\ufffd9\ufffd\ufffd\ufffdb\ufffd\ufffd\u1540K\ufffd\ufffd^,\u0006\ufffd\r,\ufffdu\ufffdbIA",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0012B\u001f\ufffdX{H\ufffd\u001f\ufffd\ufffd\u0015\u0005\ufffd\ufffd\ufffd\ufffd\ufffds%I\u0019\ufffd\ufffd\ufffd\ufffdO\ufffdXf\u0003\ufffd \ufffda\u0003\u001f\ufffd\ufffd\ufffd\ufffdZ1\\l\ufffdT\ufffd\ufffd_\u0015\ufffd\ufffd\u001ac)z\ufffd0\b6\ufffd\u0013\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "15663546c1a4f906b96381139be420302d42bc73",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0012B\u001f\ufffdX{H\ufffd\u001f\ufffd\ufffd\u0015\u0005\ufffd\ufffd\ufffd\ufffd\ufffds%I\u0019\ufffd\ufffd\ufffd\ufffdO\ufffdXf\u0003\ufffd \ufffda\u0003\u001f\ufffd\ufffd\ufffd\ufffdZ1\\l\ufffdT\ufffd\ufffd_\u0015\ufffd\ufffd\u001ac)z\ufffd0\b6\ufffd\u0013\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffdB\ufffdX{H\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffds%I\ufffd\ufffd\ufffd\ufffdO\ufffdXf\ufffd \ufffda\ufffd\ufffd\ufffd\ufffdZ1\\l\ufffdT\ufffd\ufffd_\ufffd\ufffdc)z\ufffd06\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0012B\u001f\ufffdX{H\ufffd\u001f\ufffd\ufffd\u0015\u0005\ufffd\ufffd\ufffd\ufffd\ufffds%I\u0019\ufffd\ufffd\ufffd\ufffdO\ufffdXf\u0003\ufffd \ufffda\u0003\u001f\ufffd\ufffd\ufffd\ufffdZ1\\l\ufffdT\ufffd\ufffd_\u0015\ufffd\ufffd\u001ac)z\ufffd0\b6\ufffd\u0013\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdB\ufffdX{H\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffds%I\ufffd\ufffd\ufffd\ufffdO\ufffdXf\ufffd \ufffda\ufffd\ufffd\ufffd\ufffdZ1\\l\ufffdT\ufffd\ufffd_\ufffd\ufffdc)z\ufffd06\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
������������+��"I�4r�����w��k_��EĠ �S��S�� ����{Y����j/~%�3d=I2k��j� ��C��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������+��"I�4r�����w��k_��EĠ
�S��S�� ����{Y����j/~%�3d=I2k��j� ��C��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������+��"I�4r�����w��k_��EĠ �S��S�� ����{Y����j/~%�3d=I2k��j� ��C��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ����m�>w������uJ4l�>�v��-��@�r
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.777802500572054,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.5,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 45,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "77ca43667d991e00677fe6e4b0b6a2dd2ad4c8c6",
"event_fingerprint": "fa281e43a1524838258f20bc7430f72a1b8654b1",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b042665eb7b7b7cc1bda045797da1073",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd+\u0013\ufffd\"I\u00174r\u0015\ufffd\ufffd\ufffd\u0014w\ufffd\ufffdk_\ufffd\ufffdE\u0120\n\ufffdS\ufffd\ufffdS\u0016\ufffd \ufffd\ufffd\ufffd\ufffd{Y\u0007\ufffd\ufffd\ufffdj\/~%\ufffd3d=I2k\ufffd\ufffdj\ufffd \ufffd\ufffdC\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd+\u0013\ufffd\"I\u00174r\u0015\ufffd\ufffd\ufffd\u0014w\ufffd\ufffdk_\ufffd\ufffdE\u0120\n\ufffdS\ufffd\ufffdS\u0016\ufffd \ufffd\ufffd\ufffd\ufffd{Y\u0007\ufffd\ufffd\ufffdj\/~%\ufffd3d=I2k\ufffd\ufffdj\ufffd \ufffd\ufffdC\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \f\ufffd\u0007\ufffd\ufffdm\ufffd>w\ufffd\u0002\u0011\ufffd\u0006\ufffduJ4l\ufffd>\u0004v\ufffd\u0013-\u0010\ufffd@\ufffdr",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd+\u0013\ufffd\"I\u00174r\u0015\ufffd\ufffd\ufffd\u0014w\ufffd\ufffdk_\ufffd\ufffdE\u0120\n\ufffdS\ufffd\ufffdS\u0016\ufffd \ufffd\ufffd\ufffd\ufffd{Y\u0007\ufffd\ufffd\ufffdj\/~%\ufffd3d=I2k\ufffd\ufffdj\ufffd \ufffd\ufffdC\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7092de39d263d072ce24ec5cd8c9368120213c41",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd+\u0013\ufffd\"I\u00174r\u0015\ufffd\ufffd\ufffd\u0014w\ufffd\ufffdk_\ufffd\ufffdE\u0120\n\ufffdS\ufffd\ufffdS\u0016\ufffd \ufffd\ufffd\ufffd\ufffd{Y\u0007\ufffd\ufffd\ufffdj\/~%\ufffd3d=I2k\ufffd\ufffdj\ufffd \ufffd\ufffdC\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffd\ufffd+\ufffd\"I4r\ufffd\ufffd\ufffdw\ufffd\ufffdk_\ufffd\ufffdE\u0120\n\ufffdS\ufffd\ufffdS\ufffd \ufffd\ufffd\ufffd\ufffd{Y\ufffd\ufffd\ufffdj\/~%\ufffd3d=I2k\ufffd\ufffdj\ufffd \ufffd\ufffdC\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd+\u0013\ufffd\"I\u00174r\u0015\ufffd\ufffd\ufffd\u0014w\ufffd\ufffdk_\ufffd\ufffdE\u0120\n\ufffdS\ufffd\ufffdS\u0016\ufffd \ufffd\ufffd\ufffd\ufffd{Y\u0007\ufffd\ufffd\ufffdj\/~%\ufffd3d=I2k\ufffd\ufffdj\ufffd \ufffd\ufffdC\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd+\ufffd\"I4r\ufffd\ufffd\ufffdw\ufffd\ufffdk_\ufffd\ufffdE\u0120\n\ufffdS\ufffd\ufffdS\ufffd \ufffd\ufffd\ufffd\ufffd{Y\ufffd\ufffd\ufffdj\/~%\ufffd3d=I2k\ufffd\ufffdj\ufffd \ufffd\ufffdC\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
�����������Q*Ԉ���8�����9����7�^0�;��>�2.�� IE�VZܰ�4u����[ƥ�TZ�K�����/�D��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������Q*Ԉ���8�����9����7�^0�;��>�2.�� IE�VZܰ�4u����[ƥ�TZ�K�����/�D��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������Q*Ԉ���8�����9����7�^0�;��>�2.�� IE�VZܰ�4u����[ƥ�TZ�K�����/�D��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��疱����0 �|U�+��LNṝӷrK a%jK
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.805387399076546,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.5,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 45,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "77ca43667d991e00677fe6e4b0b6a2dd2ad4c8c6",
"event_fingerprint": "fa281e43a1524838258f20bc7430f72a1b8654b1",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a72c55dd9da2893d33050792202a1368",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Q*\u0508\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd\ufffd7\ufffd^0\ufffd;\ufffd\ufffd>\ufffd2.\ufffd\ufffd IE\ufffdVZ\u0730\ufffd4u\ufffd\u0006\ufffd\ufffd[\u01a5\u0019TZ\ufffdK\u0019\u0013\ufffd\ufffd\ufffd\/\ufffdD\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Q*\u0508\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd\ufffd7\ufffd^0\ufffd;\ufffd\ufffd>\ufffd2.\ufffd\ufffd IE\ufffdVZ\u0730\ufffd4u\ufffd\u0006\ufffd\ufffd[\u01a5\u0019TZ\ufffdK\u0019\u0013\ufffd\ufffd\ufffd\/\ufffdD\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0006\ufffd\u75b1\u0000\ufffd\u0013\ufffd0 \ufffd|U\ufffd+\ufffd\ufffdLN\u1e5d\u04f7rK\u000ba%jK",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Q*\u0508\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd\ufffd7\ufffd^0\ufffd;\ufffd\ufffd>\ufffd2.\ufffd\ufffd IE\ufffdVZ\u0730\ufffd4u\ufffd\u0006\ufffd\ufffd[\u01a5\u0019TZ\ufffdK\u0019\u0013\ufffd\ufffd\ufffd\/\ufffdD\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f395cde16d037ebed0a80e01c07c3b19c191fdac",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Q*\u0508\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd\ufffd7\ufffd^0\ufffd;\ufffd\ufffd>\ufffd2.\ufffd\ufffd IE\ufffdVZ\u0730\ufffd4u\ufffd\u0006\ufffd\ufffd[\u01a5\u0019TZ\ufffdK\u0019\u0013\ufffd\ufffd\ufffd\/\ufffdD\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffdQ*\u0508\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd\ufffd7\ufffd^0\ufffd;\ufffd\ufffd>\ufffd2.\ufffd\ufffd IE\ufffdVZ\u0730\ufffd4u\ufffd\ufffd\ufffd[\u01a5TZ\ufffdK\ufffd\ufffd\ufffd\/\ufffdD\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Q*\u0508\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd\ufffd7\ufffd^0\ufffd;\ufffd\ufffd>\ufffd2.\ufffd\ufffd IE\ufffdVZ\u0730\ufffd4u\ufffd\u0006\ufffd\ufffd[\u01a5\u0019TZ\ufffdK\u0019\u0013\ufffd\ufffd\ufffd\/\ufffdD\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdQ*\u0508\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd\ufffd7\ufffd^0\ufffd;\ufffd\ufffd>\ufffd2.\ufffd\ufffd IE\ufffdVZ\u0730\ufffd4u\ufffd\ufffd\ufffd[\u01a5TZ\ufffdK\ufffd\ufffd\ufffd\/\ufffdD\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
�������������sض����S�4��Q� ;6���e��d�<�.� Z9�}������|1�+�"x�X������:�W]c���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������sض����S�4��Q�
;6���e��d�<�.� Z9�}������|1�+�"x�X������:�W]c���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������sض����S�4��Q� ;6���e��d�<�.� Z9�}������|1�+�"x�X������:�W]c���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� W��7�)����KpH��pe �4���b�g�����.
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.833922206894261,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.5,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 45,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "77ca43667d991e00677fe6e4b0b6a2dd2ad4c8c6",
"event_fingerprint": "fa281e43a1524838258f20bc7430f72a1b8654b1",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "9bb53fef527f96f474b20b9f08d2dccf",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001fs\u0636\ufffd\ufffd\ufffd\ufffdS\ufffd4\ufffd\ufffdQ\ufffd\n;6\ufffd\ufffd\ufffde\ufffd\ufffdd\ufffd<\ufffd.\ufffd Z9\u0012}\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd|1\ufffd+\ufffd\"x\ufffdX\ufffd\ufffd\u0007\ufffd\ufffd\ufffd:\ufffdW]c\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001fs\u0636\ufffd\ufffd\ufffd\ufffdS\ufffd4\ufffd\ufffdQ\ufffd\n;6\ufffd\ufffd\ufffde\ufffd\ufffdd\ufffd<\ufffd.\ufffd Z9\u0012}\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd|1\ufffd+\ufffd\"x\ufffdX\ufffd\ufffd\u0007\ufffd\ufffd\ufffd:\ufffdW]c\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 W\u0014\u001b7\ufffd)\ufffd\ufffd\ufffd\ufffdKpH\ufffd\ufffdpe \ufffd4\ufffd\ufffd\ufffdb\u0018g\ufffd\ufffd\u0000\ufffd\ufffd.",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001fs\u0636\ufffd\ufffd\ufffd\ufffdS\ufffd4\ufffd\ufffdQ\ufffd\n;6\ufffd\ufffd\ufffde\ufffd\ufffdd\ufffd<\ufffd.\ufffd Z9\u0012}\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd|1\ufffd+\ufffd\"x\ufffdX\ufffd\ufffd\u0007\ufffd\ufffd\ufffd:\ufffdW]c\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7ad3ece85a86def3ce3631e6b4ceff9ae9b995b9",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001fs\u0636\ufffd\ufffd\ufffd\ufffdS\ufffd4\ufffd\ufffdQ\ufffd\n;6\ufffd\ufffd\ufffde\ufffd\ufffdd\ufffd<\ufffd.\ufffd Z9\u0012}\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd|1\ufffd+\ufffd\"x\ufffdX\ufffd\ufffd\u0007\ufffd\ufffd\ufffd:\ufffdW]c\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffd\ufffds\u0636\ufffd\ufffd\ufffd\ufffdS\ufffd4\ufffd\ufffdQ\ufffd\n;6\ufffd\ufffd\ufffde\ufffd\ufffdd\ufffd<\ufffd.\ufffd Z9}\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd|1\ufffd+\ufffd\"x\ufffdX\ufffd\ufffd\ufffd\ufffd\ufffd:\ufffdW]c\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001fs\u0636\ufffd\ufffd\ufffd\ufffdS\ufffd4\ufffd\ufffdQ\ufffd\n;6\ufffd\ufffd\ufffde\ufffd\ufffdd\ufffd<\ufffd.\ufffd Z9\u0012}\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd|1\ufffd+\ufffd\"x\ufffdX\ufffd\ufffd\u0007\ufffd\ufffd\ufffd:\ufffdW]c\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffds\u0636\ufffd\ufffd\ufffd\ufffdS\ufffd4\ufffd\ufffdQ\ufffd\n;6\ufffd\ufffd\ufffde\ufffd\ufffdd\ufffd<\ufffd.\ufffd Z9}\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd|1\ufffd+\ufffd\"x\ufffdX\ufffd\ufffd\ufffd\ufffd\ufffd:\ufffdW]c\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
��������������٘��x.{~�YQJ� 8�;�O�߹W������ s�������5�Α�v�"�gF����(Ur��ׅ��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������٘��x.{~�YQJ� 8�;�O�߹W������ s�������5�Α�v�"�gF����(Ur��ׅ��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������٘��x.{~�YQJ� 8�;�O�߹W������ s�������5�Α�v�"�gF����(Ur��ׅ��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �k΄̫<�e�e ���� 41��1����yU�'�L
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.884236918104536,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.5,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 45,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "77ca43667d991e00677fe6e4b0b6a2dd2ad4c8c6",
"event_fingerprint": "fa281e43a1524838258f20bc7430f72a1b8654b1",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2e35e3f367a7c911f7eec2f0f290cf2a",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0658\ufffd\ufffdx.{~\ufffdYQJ\ufffd 8\u0003;\ufffdO\ufffd\u07f9W\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd s\ufffd\ufffd\ufffd\u0010\u0015\ufffd\ufffd5\ufffd\u0391\ufffdv\u0010\"\ufffdgF\ufffd\ufffd\ufffd\u0016(Ur\u001e\ufffd\u05c5\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0658\ufffd\ufffdx.{~\ufffdYQJ\ufffd 8\u0003;\ufffdO\ufffd\u07f9W\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd s\ufffd\ufffd\ufffd\u0010\u0015\ufffd\ufffd5\ufffd\u0391\ufffdv\u0010\"\ufffdgF\ufffd\ufffd\ufffd\u0016(Ur\u001e\ufffd\u05c5\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u001bk\u0384\u032b<\ufffde\ufffde\t\ufffd\ufffd\ufffd\u0015\u000b41\ufffd\ufffd1\ufffd\ufffd\ufffd\ufffdyU\ufffd'\u001cL",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0658\ufffd\ufffdx.{~\ufffdYQJ\ufffd 8\u0003;\ufffdO\ufffd\u07f9W\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd s\ufffd\ufffd\ufffd\u0010\u0015\ufffd\ufffd5\ufffd\u0391\ufffdv\u0010\"\ufffdgF\ufffd\ufffd\ufffd\u0016(Ur\u001e\ufffd\u05c5\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0ed1b85dda6109a340104cddb88a81483ec98682",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0658\ufffd\ufffdx.{~\ufffdYQJ\ufffd 8\u0003;\ufffdO\ufffd\u07f9W\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd s\ufffd\ufffd\ufffd\u0010\u0015\ufffd\ufffd5\ufffd\u0391\ufffdv\u0010\"\ufffdgF\ufffd\ufffd\ufffd\u0016(Ur\u001e\ufffd\u05c5\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\u0658\ufffd\ufffdx.{~\ufffdYQJ\ufffd 8;\ufffdO\ufffd\u07f9W\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd s\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\u0391\ufffdv\"\ufffdgF\ufffd\ufffd\ufffd(Ur\ufffd\u05c5\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0658\ufffd\ufffdx.{~\ufffdYQJ\ufffd 8\u0003;\ufffdO\ufffd\u07f9W\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd s\ufffd\ufffd\ufffd\u0010\u0015\ufffd\ufffd5\ufffd\u0391\ufffdv\u0010\"\ufffdgF\ufffd\ufffd\ufffd\u0016(Ur\u001e\ufffd\u05c5\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\u0658\ufffd\ufffdx.{~\ufffdYQJ\ufffd 8;\ufffdO\ufffd\u07f9W\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd s\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\u0391\ufffdv\"\ufffdgF\ufffd\ufffd\ufffd(Ur\ufffd\u05c5\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
�����������ٸ��#�����ƈ���������H,�}#���(�� YM����z�������ܣؖLϖ�;�w0��P/ �&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������ٸ��#�����ƈ���������H,�}#���(�� YM����z�������ܣؖLϖ�;�w0��P/ �&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������ٸ��#�����ƈ���������H,�}#���(�� YM����z�������ܣؖLϖ�;�w0��P/ �&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �S̚���~G�Rb����j��$@CE�D�f�~
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.768012700113953,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.5,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 45,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "77ca43667d991e00677fe6e4b0b6a2dd2ad4c8c6",
"event_fingerprint": "fa281e43a1524838258f20bc7430f72a1b8654b1",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "dde26dfe574f6d452a952108927b003e",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0678\ufffd\ufffd#\u0010\ufffd\ufffd\u0015\ufffd\u0188\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH,\ufffd}#\ufffd\ufffd\ufffd(\u0007\ufffd YM\u0016\ufffd\ufffd\u0000z\ufffd\ufffd\u0018\ufffd\ufffd\ufffd\ufffd\u0723\u0616L\u03d6\ufffd;\ufffdw0\u0006\ufffdP\/ \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0678\ufffd\ufffd#\u0010\ufffd\ufffd\u0015\ufffd\u0188\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH,\ufffd}#\ufffd\ufffd\ufffd(\u0007\ufffd YM\u0016\ufffd\ufffd\u0000z\ufffd\ufffd\u0018\ufffd\ufffd\ufffd\ufffd\u0723\u0616L\u03d6\ufffd;\ufffdw0\u0006\ufffdP\/ \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdS\u031a\u0001\ufffd\ufffd~G\u001bRb\u001e\ufffd\ufffd\ufffdj\b\ufffd$@CE\ufffdD\ufffdf\ufffd~",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0678\ufffd\ufffd#\u0010\ufffd\ufffd\u0015\ufffd\u0188\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH,\ufffd}#\ufffd\ufffd\ufffd(\u0007\ufffd YM\u0016\ufffd\ufffd\u0000z\ufffd\ufffd\u0018\ufffd\ufffd\ufffd\ufffd\u0723\u0616L\u03d6\ufffd;\ufffdw0\u0006\ufffdP\/ \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1bd06f9693dadcdffbc799a3cfc7bd2a9fa5b5e2",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0678\ufffd\ufffd#\u0010\ufffd\ufffd\u0015\ufffd\u0188\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH,\ufffd}#\ufffd\ufffd\ufffd(\u0007\ufffd YM\u0016\ufffd\ufffd\u0000z\ufffd\ufffd\u0018\ufffd\ufffd\ufffd\ufffd\u0723\u0616L\u03d6\ufffd;\ufffdw0\u0006\ufffdP\/ \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffd\u0678\ufffd\ufffd#\ufffd\ufffd\ufffd\u0188\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH,\ufffd}#\ufffd\ufffd\ufffd(\ufffd YM\ufffd\ufffdz\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0723\u0616L\u03d6\ufffd;\ufffdw0\ufffdP\/ &\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0678\ufffd\ufffd#\u0010\ufffd\ufffd\u0015\ufffd\u0188\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH,\ufffd}#\ufffd\ufffd\ufffd(\u0007\ufffd YM\u0016\ufffd\ufffd\u0000z\ufffd\ufffd\u0018\ufffd\ufffd\ufffd\ufffd\u0723\u0616L\u03d6\ufffd;\ufffdw0\u0006\ufffdP\/ \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\u0678\ufffd\ufffd#\ufffd\ufffd\ufffd\u0188\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH,\ufffd}#\ufffd\ufffd\ufffd(\ufffd YM\ufffd\ufffdz\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0723\u0616L\u03d6\ufffd;\ufffdw0\ufffdP\/ &\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
�����������H� �!���ʙ*��)�v:Wb��xPP��4>��� ��zd祾���ҋ��ړ0��������Y�+?C��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������H� �!���ʙ*��)�v:Wb��xPP��4>��� ���zd祾���ҋ��ړ0��������Y�+?C��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������H� �!���ʙ*��)�v:Wb��xPP��4>��� ��zd祾���ҋ��ړ0��������Y�+?C��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� pۗ%�j�Z ?~_Z�W�zv�m����>q���W
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.800809158492832,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.5,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 45,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "77ca43667d991e00677fe6e4b0b6a2dd2ad4c8c6",
"event_fingerprint": "fa281e43a1524838258f20bc7430f72a1b8654b1",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "5f4af37bb9757f593cdbd4166dbb1647",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\u0006\t\ufffd!\ufffd\ufffd\ufffd\u0299*\ufffd\u0013)\ufffdv:Wb\ufffd\ufffdxPP\ufffd\u001f4>\ufffd\u0015\ufffd \f\u001c\ufffdzd\u797e\u0012\ufffd\u0003\u048b\ufffd\u0007\u06930\ufffd\u001f\ufffd\ufffd\ufffd\ufffd\ufffd\bY\ufffd+?C\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\u0006\t\ufffd!\ufffd\ufffd\ufffd\u0299*\ufffd\u0013)\ufffdv:Wb\ufffd\ufffdxPP\ufffd\u001f4>\ufffd\u0015\ufffd \f\u001c\ufffdzd\u797e\u0012\ufffd\u0003\u048b\ufffd\u0007\u06930\ufffd\u001f\ufffd\ufffd\ufffd\ufffd\ufffd\bY\ufffd+?C\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 p\u06d7%\ufffdj\ufffdZ ?~_Z\u001bW\u001fzv\u0011m\u0002\ufffd\ufffd\ufffd>q\u0016\ufffd\ufffdW",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\u0006\t\ufffd!\ufffd\ufffd\ufffd\u0299*\ufffd\u0013)\ufffdv:Wb\ufffd\ufffdxPP\ufffd\u001f4>\ufffd\u0015\ufffd \f\u001c\ufffdzd\u797e\u0012\ufffd\u0003\u048b\ufffd\u0007\u06930\ufffd\u001f\ufffd\ufffd\ufffd\ufffd\ufffd\bY\ufffd+?C\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a19ac974771cf810056739377175b30778e39003",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\u0006\t\ufffd!\ufffd\ufffd\ufffd\u0299*\ufffd\u0013)\ufffdv:Wb\ufffd\ufffdxPP\ufffd\u001f4>\ufffd\u0015\ufffd \f\u001c\ufffdzd\u797e\u0012\ufffd\u0003\u048b\ufffd\u0007\u06930\ufffd\u001f\ufffd\ufffd\ufffd\ufffd\ufffd\bY\ufffd+?C\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffdH\t\ufffd!\ufffd\ufffd\ufffd\u0299*\ufffd)\ufffdv:Wb\ufffd\ufffdxPP\ufffd4>\ufffd\ufffd \ufffdzd\u797e\ufffd\u048b\ufffd\u06930\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdY\ufffd+?C\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\u0006\t\ufffd!\ufffd\ufffd\ufffd\u0299*\ufffd\u0013)\ufffdv:Wb\ufffd\ufffdxPP\ufffd\u001f4>\ufffd\u0015\ufffd \f\u001c\ufffdzd\u797e\u0012\ufffd\u0003\u048b\ufffd\u0007\u06930\ufffd\u001f\ufffd\ufffd\ufffd\ufffd\ufffd\bY\ufffd+?C\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdH\t\ufffd!\ufffd\ufffd\ufffd\u0299*\ufffd)\ufffdv:Wb\ufffd\ufffdxPP\ufffd4>\ufffd\ufffd \ufffdzd\u797e\ufffd\u048b\ufffd\u06930\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdY\ufffd+?C\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
�������������G��6+a�1�6~�^>[��g���m��\�zҍ� -Ԙ�>IQ�(@{фgp4��rx������v�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������G��6+a�1�6~�^>[��g���m��\�zҍ� -Ԙ�>IQ�(@{фgp4��rx������v�����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������G��6+a�1�6~�^>[��g���m��\�zҍ� -Ԙ�>IQ�(@{фgp4��rx������v�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��X�+��ߝ[d^��hzM&�2y���6���@�R
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.826574375899751,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.5,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 45,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "77ca43667d991e00677fe6e4b0b6a2dd2ad4c8c6",
"event_fingerprint": "fa281e43a1524838258f20bc7430f72a1b8654b1",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "83abf91f3eb268d27058136c9f461be6",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0004G\ufffd\ufffd6+a\u00101\ufffd6~\ufffd^>[\ufffd\ufffdg\u000f\u001a\ufffdm\ufffd\ufffd\\\ufffdz\u048d\u0015 -\u0518\ufffd>IQ\ufffd(@{\u0444gp4\ufffd\ufffdrx\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdv\u0002\ufffd\u0018\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0004G\ufffd\ufffd6+a\u00101\ufffd6~\ufffd^>[\ufffd\ufffdg\u000f\u001a\ufffdm\ufffd\ufffd\\\ufffdz\u048d\u0015 -\u0518\ufffd>IQ\ufffd(@{\u0444gp4\ufffd\ufffdrx\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdv\u0002\ufffd\u0018\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0002\ufffdX\ufffd+\u000f\ufffd\u07dd[d^\ufffd\u0003hzM&\u00022y\ufffd\ufffd\ufffd6\b\ufffd\ufffd@\u001aR",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0004G\ufffd\ufffd6+a\u00101\ufffd6~\ufffd^>[\ufffd\ufffdg\u000f\u001a\ufffdm\ufffd\ufffd\\\ufffdz\u048d\u0015 -\u0518\ufffd>IQ\ufffd(@{\u0444gp4\ufffd\ufffdrx\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdv\u0002\ufffd\u0018\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "10386b7f3539f6106c6971d06012586296d55146",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0004G\ufffd\ufffd6+a\u00101\ufffd6~\ufffd^>[\ufffd\ufffdg\u000f\u001a\ufffdm\ufffd\ufffd\\\ufffdz\u048d\u0015 -\u0518\ufffd>IQ\ufffd(@{\u0444gp4\ufffd\ufffdrx\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdv\u0002\ufffd\u0018\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffd\ufffdG\ufffd\ufffd6+a1\ufffd6~\ufffd^>[\ufffd\ufffdg\ufffdm\ufffd\ufffd\\\ufffdz\u048d -\u0518\ufffd>IQ\ufffd(@{\u0444gp4\ufffd\ufffdrx\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdv\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0004G\ufffd\ufffd6+a\u00101\ufffd6~\ufffd^>[\ufffd\ufffdg\u000f\u001a\ufffdm\ufffd\ufffd\\\ufffdz\u048d\u0015 -\u0518\ufffd>IQ\ufffd(@{\u0444gp4\ufffd\ufffdrx\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdv\u0002\ufffd\u0018\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffdG\ufffd\ufffd6+a1\ufffd6~\ufffd^>[\ufffd\ufffdg\ufffdm\ufffd\ufffd\\\ufffdz\u048d -\u0518\ufffd>IQ\ufffd(@{\u0444gp4\ufffd\ufffdrx\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdv\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
������������R��,*�J�S����Z��L�H�J�N��|xr� ����K�B�eZb�� ������f�uwt-�갛��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������R��,*�J�S����Z��L�H�J�N��|xr� ����K�B�eZb���������f�uwt-�갛��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������R��,*�J�S����Z��L�H�J�N��|xr� ����K�B�eZb�� ������f�uwt-�갛��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �U�fc�q�g�9g��hR��1��.�!�����M�w
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.806362634579392,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.5,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 45,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "77ca43667d991e00677fe6e4b0b6a2dd2ad4c8c6",
"event_fingerprint": "fa281e43a1524838258f20bc7430f72a1b8654b1",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "8e18d662e9ce6796e90fcab083479323",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdR\ufffd\u001f,*\ufffdJ\ufffdS\ufffd\ufffd\u0013\ufffdZ\ufffd\ufffdL\ufffdH\u0003J\ufffdN\ufffd\u0016|xr\u0012 \u0017\u001a\u0004\ufffdK\ufffdB\ufffdeZb\ufffd\ufffd\f\ufffd\u0005\ufffd\ufffd\ufffd\u0012f\u0016uwt-\ufffd\uac1b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdR\ufffd\u001f,*\ufffdJ\ufffdS\ufffd\ufffd\u0013\ufffdZ\ufffd\ufffdL\ufffdH\u0003J\ufffdN\ufffd\u0016|xr\u0012 \u0017\u001a\u0004\ufffdK\ufffdB\ufffdeZb\ufffd\ufffd\f\ufffd\u0005\ufffd\ufffd\ufffd\u0012f\u0016uwt-\ufffd\uac1b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0011U\u0017fc\ufffdq\ufffdg\ufffd9g\ufffd\ufffdhR\u0018\ufffd1\ufffd\ufffd.\ufffd!\ufffd\ufffd\u0002\ufffd\u0003M\ufffdw",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdR\ufffd\u001f,*\ufffdJ\ufffdS\ufffd\ufffd\u0013\ufffdZ\ufffd\ufffdL\ufffdH\u0003J\ufffdN\ufffd\u0016|xr\u0012 \u0017\u001a\u0004\ufffdK\ufffdB\ufffdeZb\ufffd\ufffd\f\ufffd\u0005\ufffd\ufffd\ufffd\u0012f\u0016uwt-\ufffd\uac1b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0e6db36f86063fcc5eefe5a67664e4e4321d3b6d",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdR\ufffd\u001f,*\ufffdJ\ufffdS\ufffd\ufffd\u0013\ufffdZ\ufffd\ufffdL\ufffdH\u0003J\ufffdN\ufffd\u0016|xr\u0012 \u0017\u001a\u0004\ufffdK\ufffdB\ufffdeZb\ufffd\ufffd\f\ufffd\u0005\ufffd\ufffd\ufffd\u0012f\u0016uwt-\ufffd\uac1b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffd\ufffdR\ufffd,*\ufffdJ\ufffdS\ufffd\ufffd\ufffdZ\ufffd\ufffdL\ufffdHJ\ufffdN\ufffd|xr \ufffdK\ufffdB\ufffdeZb\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdfuwt-\ufffd\uac1b\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdR\ufffd\u001f,*\ufffdJ\ufffdS\ufffd\ufffd\u0013\ufffdZ\ufffd\ufffdL\ufffdH\u0003J\ufffdN\ufffd\u0016|xr\u0012 \u0017\u001a\u0004\ufffdK\ufffdB\ufffdeZb\ufffd\ufffd\f\ufffd\u0005\ufffd\ufffd\ufffd\u0012f\u0016uwt-\ufffd\uac1b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffdR\ufffd,*\ufffdJ\ufffdS\ufffd\ufffd\ufffdZ\ufffd\ufffdL\ufffdHJ\ufffdN\ufffd|xr \ufffdK\ufffdB\ufffdeZb\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdfuwt-\ufffd\uac1b\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
������������H&�g>�����E�����_�¶��|P�Ԉc�� ��S�J�D�؏.�88d��Ԑث�P^O<Ԭ ����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������H&�g>�����E�����_�¶��|P�Ԉc�� ��S�J�D�؏.�88d��Ԑث�P^O<Ԭ
����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������H&�g>�����E�����_�¶��|P�Ԉc�� ��S�J�D�؏.�88d��Ԑث�P^O<Ԭ ����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��g�_�8��� ��0�{�}�8� ���q.�j��
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.817313624780422,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.5,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 45,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "77ca43667d991e00677fe6e4b0b6a2dd2ad4c8c6",
"event_fingerprint": "fa281e43a1524838258f20bc7430f72a1b8654b1",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "13558b2309ade075ac58efc0198c1a9c",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdH&\ufffdg>\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\u000f_\ufffd\u00b6\ufffd\ufffd|P\ufffd\u0508c\ufffd\ufffd \ufffd\ufffdS\ufffdJ\ufffdD\ufffd\u060f.\ufffd88d\u0016\ufffd\u0510\u062b\ufffdP^O<\u052c\r\ufffd\ufffd\u0001\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdH&\ufffdg>\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\u000f_\ufffd\u00b6\ufffd\ufffd|P\ufffd\u0508c\ufffd\ufffd \ufffd\ufffdS\ufffdJ\ufffdD\ufffd\u060f.\ufffd88d\u0016\ufffd\u0510\u062b\ufffdP^O<\u052c\r\ufffd\ufffd\u0001\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdg\ufffd_\ufffd8\u0019\ufffd\ufffd\u000b\ufffd\ufffd0\ufffd{\ufffd}\ufffd8\u0016\t\ufffd\ufffd\ufffdq.\ufffdj\ufffd\u0013",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdH&\ufffdg>\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\u000f_\ufffd\u00b6\ufffd\ufffd|P\ufffd\u0508c\ufffd\ufffd \ufffd\ufffdS\ufffdJ\ufffdD\ufffd\u060f.\ufffd88d\u0016\ufffd\u0510\u062b\ufffdP^O<\u052c\r\ufffd\ufffd\u0001\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b17e899bd1043e3d57a8ad68cd1804a7996c2025",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdH&\ufffdg>\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\u000f_\ufffd\u00b6\ufffd\ufffd|P\ufffd\u0508c\ufffd\ufffd \ufffd\ufffdS\ufffdJ\ufffdD\ufffd\u060f.\ufffd88d\u0016\ufffd\u0510\u062b\ufffdP^O<\u052c\r\ufffd\ufffd\u0001\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffd\ufffdH&\ufffdg>\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd_\ufffd\u00b6\ufffd\ufffd|P\ufffd\u0508c\ufffd\ufffd \ufffd\ufffdS\ufffdJ\ufffdD\ufffd\u060f.\ufffd88d\ufffd\u0510\u062b\ufffdP^O<\u052c\r\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdH&\ufffdg>\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\u000f_\ufffd\u00b6\ufffd\ufffd|P\ufffd\u0508c\ufffd\ufffd \ufffd\ufffdS\ufffdJ\ufffdD\ufffd\u060f.\ufffd88d\u0016\ufffd\u0510\u062b\ufffdP^O<\u052c\r\ufffd\ufffd\u0001\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffdH&\ufffdg>\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd_\ufffd\u00b6\ufffd\ufffd|P\ufffd\u0508c\ufffd\ufffd \ufffd\ufffdS\ufffdJ\ufffdD\ufffd\u060f.\ufffd88d\ufffd\u0510\u062b\ufffdP^O<\u052c\r\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /app/.env.dev
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /app/.env.dev UA Mozilla/5.0 (Linux; Android 9; SM-G955N) AppleWebKit/537.36 (KH…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/app/.env.dev
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/app/.env.dev
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /app/.env.dev HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; SM-G955N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /app/.env.dev HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G955N) AppleWebKit/537.36 (KHTM
Requête brute (extrait)
GET /app/.env.dev HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G955N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "dev",
"http_ua_hash": "42279852616bde4c39316e27c86a00c91c9902db",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "df5aa2d688155147d78025f13efee7d00a0eafd8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 253,
"payload_entropy": 5.426187206711866,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.2,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "a73c241f6cd9fb17715691ca7a29663b6ed74ffd",
"event_fingerprint": "719107721fda972352c1201e44cf8788f6e5d096",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32ca84273c82fd13be4969f771622016",
"payload_hash": "e1b71c3d5190c643e49e9c614b7030dc",
"path_pattern_hash": "80cfd304d2c6517de5f460ebde85ca3d"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G955N) AppleWebKit\/537.36 (KHTM",
"method": "GET",
"path": "\/app\/.env.dev",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G955N) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/.env.dev HTTP\/1.1",
"request_sample": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G955N) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G955N) AppleWebKit\/537.36 (KHTM",
"evidence": {
"method": "GET",
"path": "\/app\/.env.dev",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G955N) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/.env.dev HTTP\/1.1",
"request_sample": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G955N) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G955N) AppleWebKit\/537.36 (KHTM",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6f0bc68ee0df938a87b8d57265d449f077c871ba",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.dev",
"request_line": "GET \/app\/.env.dev HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G955N) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G955N) AppleWebKit\/537.36 (KHTM",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.dev",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.dev",
"request_line": "GET \/app\/.env.dev HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G955N) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.dev",
"evidence_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G955N) AppleWebKit\/537.36 (KHTM",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP ALT 8090
Sonde PostgreSQL
postgres probe · via HTTP ALT 8090:8090 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
�����������_hk�I/O�r�} ��Ҁ�O���~�V4 ��-� @�쐺��(�D���U��:C��Y��)2/�ng���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������_hk�I/O�r�} ��Ҁ�O���~�V4 ��-� @�쐺��(�D���U��:C��Y��)2/�ng���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������_hk�I/O�r�} ��Ҁ�O���~�V4 ��-� @�쐺��(�D���U��:C��Y��)2/�ng���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� N�&L�ؚ1����}/"h��XhxT{-��Q� �2
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.886752709849494,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.5,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 45,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "77ca43667d991e00677fe6e4b0b6a2dd2ad4c8c6",
"event_fingerprint": "fa281e43a1524838258f20bc7430f72a1b8654b1",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "e60a9e4b123d9f397522527a4855f9bd",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05fa_hk\u001bI\/O\ufffdr\ufffd}\t\ufffd\ufffd\u0480\ufffdO\ufffd\ufffd\ufffd~\ufffdV4 \ufffd\ufffd-\u001d @\ufffd\uc43a\ufffd\ufffd(\ufffdD\ufffd\ufffd\ufffdU\ufffd\ufffd:C\ufffd\u0006Y\ufffd\u0017)2\/\ufffdng\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05fa_hk\u001bI\/O\ufffdr\ufffd}\t\ufffd\ufffd\u0480\ufffdO\ufffd\ufffd\ufffd~\ufffdV4 \ufffd\ufffd-\u001d @\ufffd\uc43a\ufffd\ufffd(\ufffdD\ufffd\ufffd\ufffdU\ufffd\ufffd:C\ufffd\u0006Y\ufffd\u0017)2\/\ufffdng\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 N\ufffd&L\ufffd\u061a1\ufffd\ufffd\ufffd\u001c}\/\"h\u0007\ufffdXhxT{-\ufffd\ufffdQ\ufffd \ufffd2",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05fa_hk\u001bI\/O\ufffdr\ufffd}\t\ufffd\ufffd\u0480\ufffdO\ufffd\ufffd\ufffd~\ufffdV4 \ufffd\ufffd-\u001d @\ufffd\uc43a\ufffd\ufffd(\ufffdD\ufffd\ufffd\ufffdU\ufffd\ufffd:C\ufffd\u0006Y\ufffd\u0017)2\/\ufffdng\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "55bd51c185f0063af57bde12ffb1ed7725f20fb9",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05fa_hk\u001bI\/O\ufffdr\ufffd}\t\ufffd\ufffd\u0480\ufffdO\ufffd\ufffd\ufffd~\ufffdV4 \ufffd\ufffd-\u001d @\ufffd\uc43a\ufffd\ufffd(\ufffdD\ufffd\ufffd\ufffdU\ufffd\ufffd:C\ufffd\u0006Y\ufffd\u0017)2\/\ufffdng\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffd\u05fa_hkI\/O\ufffdr\ufffd}\t\ufffd\ufffd\u0480\ufffdO\ufffd\ufffd\ufffd~\ufffdV4 \ufffd\ufffd- @\ufffd\uc43a\ufffd\ufffd(\ufffdD\ufffd\ufffd\ufffdU\ufffd\ufffd:C\ufffdY\ufffd)2\/\ufffdng\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05fa_hk\u001bI\/O\ufffdr\ufffd}\t\ufffd\ufffd\u0480\ufffdO\ufffd\ufffd\ufffd~\ufffdV4 \ufffd\ufffd-\u001d @\ufffd\uc43a\ufffd\ufffd(\ufffdD\ufffd\ufffd\ufffdU\ufffd\ufffd:C\ufffd\u0006Y\ufffd\u0017)2\/\ufffdng\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8090:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\u05fa_hkI\/O\ufffdr\ufffd}\t\ufffd\ufffd\u0480\ufffdO\ufffd\ufffd\ufffd~\ufffdV4 \ufffd\ufffd- @\ufffd\uc43a\ufffd\ufffd(\ufffdD\ufffd\ufffd\ufffdU\ufffd\ufffd:C\ufffdY\ufffd)2\/\ufffdng\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /app/.env.staging
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /app/.env.staging UA Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/app/.env.staging
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/app/.env.staging
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /app/.env.staging HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0 Iceweasel/5.0
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /app/.env.staging HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefo
Requête brute (extrait)
GET /app/.env.staging HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0 Iceweasel/5.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "staging",
"http_ua_hash": "9d8b2fa1599c74e63591442cc4d813329231ea73",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "e84f59fbbec8a04fdfc3078fbdf0ae4fd69640c6",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 216,
"payload_entropy": 5.300596147228464,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.2,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "a73c241f6cd9fb17715691ca7a29663b6ed74ffd",
"event_fingerprint": "cabb9e4f1e4f69cabf6ceffb8f2dfb5b1e942d48",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "e18edfb1656e9676e904e728003d5bd4",
"payload_hash": "972046891908ed7f5db37ecdc22063c9",
"path_pattern_hash": "5a281530de78ccf813317373171371c8"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefo",
"method": "GET",
"path": "\/app\/.env.staging",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox\/5.0 Iceweasel\/5.0",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/.env.staging HTTP\/1.1",
"request_sample": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox\/5.0 Iceweasel\/5.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefo",
"evidence": {
"method": "GET",
"path": "\/app\/.env.staging",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox\/5.0 Iceweasel\/5.0",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/.env.staging HTTP\/1.1",
"request_sample": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox\/5.0 Iceweasel\/5.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefo",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f6ecad55a0af4a5c6b1b9f091cbfe60bf6932015",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.staging",
"request_line": "GET \/app\/.env.staging HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox\/5.0 Iceweasel\/5.0",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefo",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.staging",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.staging",
"request_line": "GET \/app\/.env.staging HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox\/5.0 Iceweasel\/5.0",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.staging",
"evidence_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefo",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /admin/.env.production
Élevée
Élevé · 71
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /admin/.env.production UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWeb…
Émulateur
HTTP
WAF
34
Recommandation
Investiguer
Tags
950086:sqli-21
950326:rce-0
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/admin/.env.production
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/admin/.env.production
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « sqli-21 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 71
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
ET Magento admin
ES admin GET
ActiveMQ console
Ligne de requête
GET /admin/.env.production HTTP/1.1
User-Agent
Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.5(0x17000523) NetType/WIFI Language/zh_CN
Règles WAF
sqli-21
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /admin/.env.production HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) A
Requête brute (extrait)
GET /admin/.env.production HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.5(0x17000523) NetType/WIFI Language/zh_CN Accept-Chars
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "production",
"http_ua_hash": "424707a6884bba0e5c2e08e31d55ac8958f398c0",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "6afcf6a74c4f4ca0deffd4538e4bee0be1658fdc",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 311,
"payload_entropy": 5.482977907044627,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.8,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 71,
"tag_count": 11,
"anomaly_count": 0,
"campaign_key": "82f88de2b3e083969375ad19b25e811c8a31c58f",
"event_fingerprint": "91b238cf52f3e8cd048fa3bace8b3993a48a05a0",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0854",
"pat-0341",
"pat-0606"
],
"matched_pattern_names": [
"ET Magento admin",
"ES admin GET",
"ActiveMQ console"
],
"pattern_ids": [
"pat-0854",
"pat-0341",
"pat-0606"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ce1c3072c30adbf6ea5b4539750aacc2",
"payload_hash": "d1d2687906b46a1b1cc7e1f88aabbc20",
"path_pattern_hash": "2436e3a9cfeb9e9b135c78544dba7eee"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 71
},
"method": "GET",
"path": "\/admin\/.env.production",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.5(0x17000523) NetType\/WIFI Language\/zh_CN",
"waf_tags": [
"950086:sqli-21",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"sqli-21",
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/admin\/.env.production HTTP\/1.1",
"payload_snippet": "GET \/admin\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) A",
"evidence": {
"method": "GET",
"path": "\/admin\/.env.production",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.5(0x17000523) NetType\/WIFI Language\/zh_CN",
"waf_tags": [
"950086:sqli-21",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"sqli-21",
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/admin\/.env.production HTTP\/1.1",
"request_sample": "GET \/admin\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.5(0x17000523) NetType\/WIFI Language\/zh_CN\r\nAccept-Chars",
"payload_snippet": "GET \/admin\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) A",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4c96bd975394440345f7c60252b06114eb15b65e",
"protocol_details": {
"http_method": "GET",
"http_path": "\/admin\/.env.production",
"request_line": "GET \/admin\/.env.production HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMess\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/admin\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) A",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.env.production",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 71,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/admin\/.env.production",
"request_line": "GET \/admin\/.env.production HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMess\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.env.production",
"evidence_snippet": "GET \/admin\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) A",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950086:sqli-21",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_admin_panel_probe",
"http_admin_panel_scan",
"http_backup_file_scan",
"http_probe_admin",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /frontend/.env.production
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /frontend/.env.production UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/frontend/.env.production
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/frontend/.env.production
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /frontend/.env.production HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /frontend/.env.production HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit
Requête brute (extrait)
GET /frontend/.env.production HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "production",
"http_ua_hash": "4653d473d6ec72d10eb80e05ec511aff887191b4",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "d9a2c7e4bfc8a23ebeeaa1888ef5fa4be1e92ee6",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 258,
"payload_entropy": 5.400085420355765,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.2,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "a73c241f6cd9fb17715691ca7a29663b6ed74ffd",
"event_fingerprint": "1f37a9183e198a95a7c12889e3d8f31764024252",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "96f529a4666856cf38fca8099012d912",
"payload_hash": "6aab9be6963bdfd3bc89c438de8488af",
"path_pattern_hash": "6f5e9dea5f57f4e72146c7e773e7255d"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit",
"method": "GET",
"path": "\/frontend\/.env.production",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/frontend\/.env.production HTTP\/1.1",
"request_sample": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n",
"payload_snippet": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit",
"evidence": {
"method": "GET",
"path": "\/frontend\/.env.production",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/frontend\/.env.production HTTP\/1.1",
"request_sample": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n",
"payload_snippet": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b3f693d46575302b3a25b122fa630a9eb282aa45",
"protocol_details": {
"http_method": "GET",
"http_path": "\/frontend\/.env.production",
"request_line": "GET \/frontend\/.env.production HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env.production",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/frontend\/.env.production",
"request_line": "GET \/frontend\/.env.production HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env.production",
"evidence_snippet": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /config/.env
Élevée
Élevé · 71
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /config/.env UA Mozilla/5.0 (Linux; Android 7.0; Redmi Note 4 Build/NRD90M) App…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/config/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/config/.env
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 71
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /config/.env HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 7.0; Redmi Note 4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /config/.env HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (Linux; Android 7.0; Redmi Note 4 Build/NRD90M) AppleW
Requête brute (extrait)
GET /config/.env HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (Linux; Android 7.0; Redmi Note 4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connect
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "env",
"http_ua_hash": "0ce4dc600a4cdd1b4d7fa7920f35a11a587dc3d1",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "867074af7203ec5cf6b039823237b28edf1066aa",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 270,
"payload_entropy": 5.441654045566193,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.6,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 71,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "ff251601f3d08346d822a3d103dfb1447b137ce0",
"event_fingerprint": "5837fc9a2a7c6ae4a3fb95cd202da5e71e920884",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "914445899429e1e78a668cb011bfe2d8",
"payload_hash": "a45a84e592dc4e6398269bd8cc79f7df",
"path_pattern_hash": "2aaa158af561315bc9004215c1f06852"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 71
},
"payload_preview": "GET \/config\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Redmi Note 4 Build\/NRD90M) AppleW",
"method": "GET",
"path": "\/config\/.env",
"user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Redmi Note 4 Build\/NRD90M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/config\/.env HTTP\/1.1",
"request_sample": "GET \/config\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Redmi Note 4 Build\/NRD90M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect",
"payload_snippet": "GET \/config\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Redmi Note 4 Build\/NRD90M) AppleW",
"evidence": {
"method": "GET",
"path": "\/config\/.env",
"user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Redmi Note 4 Build\/NRD90M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/config\/.env HTTP\/1.1",
"request_sample": "GET \/config\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Redmi Note 4 Build\/NRD90M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect",
"payload_snippet": "GET \/config\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Redmi Note 4 Build\/NRD90M) AppleW",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8be59b23ffab214c285d9053c47c228499434482",
"protocol_details": {
"http_method": "GET",
"http_path": "\/config\/.env",
"request_line": "GET \/config\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Redmi Note 4 Build\/NRD90M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 \u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/config\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Redmi Note 4 Build\/NRD90M) AppleW",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/.env",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 71,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/config\/.env",
"request_line": "GET \/config\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Redmi Note 4 Build\/NRD90M) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 \u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/.env",
"evidence_snippet": "GET \/config\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Redmi Note 4 Build\/NRD90M) AppleW",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_probe_config",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /api/.env.prod
Élevée
Élevé · 71
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /api/.env.prod UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like…
Émulateur
HTTP
WAF
31
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/api/.env.prod
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/api/.env.prod
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 71
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /api/.env.prod HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-1
k8s-api
Payload (extrait)
GET /api/.env.prod HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Requête brute (extrait)
GET /api/.env.prod HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "prod",
"http_ua_hash": "fe5348c952496ea94a2d1f8b6189bd9b3c4c128d",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "a0523bde74b7800a5f62604ba67d5973949853e7",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 238,
"payload_entropy": 5.420737767877465,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.8,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 71,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "915851ae54fd75cd2dfefcb4b086364244781a78",
"event_fingerprint": "d42d137e7c22713488062683f093da7cbd2efe09",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "e3d6073ea4874db379c214e33553846a",
"payload_hash": "c4d4c2ea802f1455abe0e3d9417257a7",
"path_pattern_hash": "0d46dff1e6403d12ac8e9a297c932ed9"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 71
},
"payload_preview": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like ",
"method": "GET",
"path": "\/api\/.env.prod",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1",
"k8s-api"
],
"request_line": "GET \/api\/.env.prod HTTP\/1.1",
"request_sample": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like",
"evidence": {
"method": "GET",
"path": "\/api\/.env.prod",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1",
"k8s-api"
],
"request_line": "GET \/api\/.env.prod HTTP\/1.1",
"request_sample": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e3596b4ea3027ae63635f7b2e78e01090f2b5e67",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.env.prod",
"request_line": "GET \/api\/.env.prod HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.prod",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 71,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.env.prod",
"request_line": "GET \/api\/.env.prod HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.prod",
"evidence_snippet": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api",
"http_backup_file_scan",
"http_probe_api",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /services/api/.env
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /services/api/.env UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/services/api/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/services/api/.env
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /services/api/.env HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.42 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /services/api/.env HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/
Requête brute (extrait)
GET /services/api/.env HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.42 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "env",
"http_ua_hash": "74d7f7b960e67c6029324b532e3bf5abc8d49e3b",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "450e32f1680bf647be59805b14bbd52061e00349",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 257,
"payload_entropy": 5.419208307614378,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.2,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "a73c241f6cd9fb17715691ca7a29663b6ed74ffd",
"event_fingerprint": "cb248ad95b07b45609c10493ea5fd1676e4e44fd",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d13f14c9d234a4a407f91367c2ec6b1e",
"payload_hash": "721876c47973b2f6339d90787fcfc960",
"path_pattern_hash": "9a476469205a3b7d9994ebc8d35d13e6"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/",
"method": "GET",
"path": "\/services\/api\/.env",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/services\/api\/.env HTTP\/1.1",
"request_sample": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r",
"payload_snippet": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/",
"evidence": {
"method": "GET",
"path": "\/services\/api\/.env",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/services\/api\/.env HTTP\/1.1",
"request_sample": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r",
"payload_snippet": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "eb1bdc39473fe4e42e85cd0f56428301638a736b",
"protocol_details": {
"http_method": "GET",
"http_path": "\/services\/api\/.env",
"request_line": "GET \/services\/api\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/api\/.env",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/services\/api\/.env",
"request_line": "GET \/services\/api\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/api\/.env",
"evidence_snippet": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /app/.env.bak
Élevée
Élevé · 71
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /app/.env.bak UA Mozilla/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod™_Version)…
Émulateur
HTTP
WAF
35
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/app/.env.bak
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/app/.env.bak
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 71
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /app/.env.bak HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod™_Version) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-1
leak-8
Payload (extrait)
GET /app/.env.bak HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod™_Version)
Requête brute (extrait)
GET /app/.env.bak HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod™_Version) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "bak",
"http_ua_hash": "d1fe78cc4b2390aa57ab35fd24fafa28626a16ef",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "675fe9576f3ec7add08a15dd0c540b55e5bbfdec",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 278,
"payload_entropy": 5.477058922748747,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.8,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 71,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "d6d97377ebee2866a5759a4e0715f4548697e5eb",
"event_fingerprint": "c8fcafb0c0d74af7533d28d2cfb3adb4fd62b442",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "89118e8e7adfb61feb0c5082572d1e14",
"payload_hash": "cc9dd1b55e81472fb293afceb7968ec9",
"path_pattern_hash": "a68a9dfeaee6097716a18c2b9f43c5f9"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 71
},
"payload_preview": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version)",
"method": "GET",
"path": "\/app\/.env.bak",
"user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950521:leak-8"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1",
"leak-8"
],
"request_line": "GET \/app\/.env.bak HTTP\/1.1",
"request_sample": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r",
"payload_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version)",
"evidence": {
"method": "GET",
"path": "\/app\/.env.bak",
"user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950521:leak-8"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1",
"leak-8"
],
"request_line": "GET \/app\/.env.bak HTTP\/1.1",
"request_sample": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r",
"payload_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version)",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "30fb22ab845de666322c99c040b984d9d92b54b7",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.bak",
"request_line": "GET \/app\/.env.bak HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version)",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.bak",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 71,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.bak",
"request_line": "GET \/app\/.env.bak HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.bak",
"evidence_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; vivo Y31L.RastaMod\u2122_Version)",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950521:leak-8",
"http_backup_file_scan",
"http_backup_path",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /backend/.env
Élevée
Élevé · 71
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /backend/.env UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleW…
Émulateur
HTTP
WAF
34
Recommandation
Investiguer
Tags
950086:sqli-21
950326:rce-0
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/backend/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/backend/.env
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « sqli-21 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 71
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /backend/.env HTTP/1.1
User-Agent
Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/16C104 MicroMessenger/7.0.5(0x17000523) NetType/4G Language/zh_CN
Règles WAF
sqli-21
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /backend/.env HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWeb
Requête brute (extrait)
GET /backend/.env HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/16C104 MicroMessenger/7.0.5(0x17000523) NetType/4G Language/zh_CN Accept-Charset: utf-8
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "env",
"http_ua_hash": "4af7bc39912e902dac64ddc9ebcef81f82909553",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "43427b722c17a9a0bc6fc425a8ca9501d2c985f0",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 302,
"payload_entropy": 5.440709104944914,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.6,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 71,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "17e87cbcf98800cf6685905988de15fd57d0225f",
"event_fingerprint": "8138032f8d8c3cf9c52f1f219c7d12de7a977aba",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "983f8800255038b3da137fa504c1ce5c",
"payload_hash": "db75ecfe3ea6c50e45ff3210ad141331",
"path_pattern_hash": "1ffd9afa4ff51d558fbb13c458726c9c"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 71
},
"payload_preview": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWeb",
"method": "GET",
"path": "\/backend\/.env",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16C104 MicroMessenger\/7.0.5(0x17000523) NetType\/4G Language\/zh_CN",
"waf_tags": [
"950086:sqli-21",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"sqli-21",
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/backend\/.env HTTP\/1.1",
"request_sample": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16C104 MicroMessenger\/7.0.5(0x17000523) NetType\/4G Language\/zh_CN\r\nAccept-Charset: utf-8",
"payload_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWeb",
"evidence": {
"method": "GET",
"path": "\/backend\/.env",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16C104 MicroMessenger\/7.0.5(0x17000523) NetType\/4G Language\/zh_CN",
"waf_tags": [
"950086:sqli-21",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"sqli-21",
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/backend\/.env HTTP\/1.1",
"request_sample": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16C104 MicroMessenger\/7.0.5(0x17000523) NetType\/4G Language\/zh_CN\r\nAccept-Charset: utf-8",
"payload_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWeb",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9e8d9a1addda32f88ae874c181b83b3208097408",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/.env",
"request_line": "GET \/backend\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16C104 MicroMe\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWeb",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 71,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/.env",
"request_line": "GET \/backend\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16C104 MicroMe\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env",
"evidence_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWeb",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950086:sqli-21",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /app/api/.env
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /app/api/.env UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWeb…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/app/api/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/app/api/.env
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /app/api/.env HTTP/1.1
User-Agent
Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/80.0.262003652 Mobile/16G77 Safari/604.1
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /app/api/.env HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKi
Requête brute (extrait)
GET /app/api/.env HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/80.0.262003652 Mobile/16G77 Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzip Conne
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "env",
"http_ua_hash": "e76d4f757a9bd2b7b908349144438dc19b9e5bc4",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "a26af0cb127afb7f53aace7ab18a175b4d8a51bd",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 272,
"payload_entropy": 5.3943309811077285,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.2,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "a73c241f6cd9fb17715691ca7a29663b6ed74ffd",
"event_fingerprint": "8c279ee7c9172c04678cddf9c754a9f435671f9d",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "5b872d7f32c1ae20aba530fff0d900cb",
"payload_hash": "477c2399f95a557aaae7e163bd8e285d",
"path_pattern_hash": "9328998b0872bf59d928235746a301f6"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKi",
"method": "GET",
"path": "\/app\/api\/.env",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) GSA\/80.0.262003652 Mobile\/16G77 Safari\/604.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/api\/.env HTTP\/1.1",
"request_sample": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) GSA\/80.0.262003652 Mobile\/16G77 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne",
"payload_snippet": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKi",
"evidence": {
"method": "GET",
"path": "\/app\/api\/.env",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) GSA\/80.0.262003652 Mobile\/16G77 Safari\/604.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/api\/.env HTTP\/1.1",
"request_sample": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) GSA\/80.0.262003652 Mobile\/16G77 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne",
"payload_snippet": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKi",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c354360c74f2b43d35c1e5bd903f2a6edd99f94a",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/api\/.env",
"request_line": "GET \/app\/api\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) GSA\/80.0.262003652 Mobi\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKi",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/api\/.env",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/api\/.env",
"request_line": "GET \/app\/api\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) GSA\/80.0.262003652 Mobi\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/api\/.env",
"evidence_snippet": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKi",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /backend/.env.local
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /backend/.env.local UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/backend/.env.local
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/backend/.env.local
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /backend/.env.local HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /backend/.env.local HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit
Requête brute (extrait)
GET /backend/.env.local HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "local",
"http_ua_hash": "96499075caf3d0bc3257071f334c083bf9bf18c0",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "7a997ecf8c7c3ade11101024aba12e58dee560af",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 258,
"payload_entropy": 5.405245959447904,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.2,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "a73c241f6cd9fb17715691ca7a29663b6ed74ffd",
"event_fingerprint": "ed4fd3dd76fd7ae4a2e5ee2e337bbd12b32a15ef",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "1d7f306fec8907b288ece302d7101675",
"payload_hash": "9fdc386f1114082b101a5fc53550dbb3",
"path_pattern_hash": "6e2a711f7323df4e4b7b37b3c8fb7ec7"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit",
"method": "GET",
"path": "\/backend\/.env.local",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/backend\/.env.local HTTP\/1.1",
"request_sample": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n",
"payload_snippet": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit",
"evidence": {
"method": "GET",
"path": "\/backend\/.env.local",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/backend\/.env.local HTTP\/1.1",
"request_sample": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n",
"payload_snippet": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a0d283416337a7c6ae598a9763e7b50ebbe4c42a",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/.env.local",
"request_line": "GET \/backend\/.env.local HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.local",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/.env.local",
"request_line": "GET \/backend\/.env.local HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.local",
"evidence_snippet": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /admin/.env
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /admin/.env UA SonyEricssonW850i/R1ED Browser/NetFront/3.3 Profile/MIDP-2.0 Co…
Émulateur
HTTP
WAF
20
Recommandation
Investiguer
Tags
950468:nosqli-3
950470:nosqli-3
950514:leak-1
http_admin_panel_probe
Cible HTTP
GET
/admin/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/admin/.env
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
ET Magento admin
ES admin GET
ActiveMQ console
Ligne de requête
GET /admin/.env HTTP/1.1
User-Agent
SonyEricssonW850i/R1ED Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1
Règles WAF
nosqli-3
leak-1
Payload (extrait)
GET /admin/.env HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: SonyEricssonW850i/R1ED Browser/NetFront/3.3 Profile/MIDP-2.0 Config
Requête brute (extrait)
GET /admin/.env HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: SonyEricssonW850i/R1ED Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "env",
"http_ua_hash": "8a3240f5169197010bb3ea637c2e68ffdccece7c",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "9bae73d08848be44521e9c4d49360c6e081f0fff",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 213,
"payload_entropy": 5.281195224229857,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 88,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.8,
"risk_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 67,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "0034209aeccf37439697bad70d02b9c852e9bb76",
"event_fingerprint": "8b83599f8d4938846ffe582ba8176d1de34c40d6",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0854",
"pat-0341",
"pat-0606"
],
"matched_pattern_names": [
"ET Magento admin",
"ES admin GET",
"ActiveMQ console"
],
"pattern_ids": [
"pat-0854",
"pat-0341",
"pat-0606"
],
"confidence_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "5d36d896bcdf3801db5d90cc14b43692",
"payload_hash": "037bd3ec1095fe319e5619bb5c900f0b",
"path_pattern_hash": "36de7f489df887c3e31f5a951469f711"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Config",
"method": "GET",
"path": "\/admin\/.env",
"user_agent": "SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"nosqli-3",
"leak-1"
],
"request_line": "GET \/admin\/.env HTTP\/1.1",
"request_sample": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Config",
"evidence": {
"method": "GET",
"path": "\/admin\/.env",
"user_agent": "SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"nosqli-3",
"leak-1"
],
"request_line": "GET \/admin\/.env HTTP\/1.1",
"request_sample": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Config",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "469992f1ec3671b8b54dc50dddeaef112f11a035",
"protocol_details": {
"http_method": "GET",
"http_path": "\/admin\/.env",
"request_line": "GET \/admin\/.env HTTP\/1.1",
"http_user_agent": "SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Config",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.env",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/admin\/.env",
"request_line": "GET \/admin\/.env HTTP\/1.1",
"http_user_agent": "SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.env",
"evidence_snippet": "GET \/admin\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Config",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 88 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_admin_panel_probe",
"http_admin_panel_scan",
"http_backup_file_scan",
"http_probe_admin",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /laravel/.env
Élevée
Élevé · 66
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /laravel/.env UA SonyEricssonK800i/R1CB Browser/NetFront/3.3 Profile/MIDP-2.0 Co…
Émulateur
HTTP
WAF
20
Recommandation
Investiguer
Tags
950468:nosqli-3
950470:nosqli-3
950514:leak-1
http_backup_file_scan
Cible HTTP
GET
/laravel/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/laravel/.env
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 66
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /laravel/.env HTTP/1.1
User-Agent
SonyEricssonK800i/R1CB Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0
Règles WAF
nosqli-3
leak-1
Payload (extrait)
GET /laravel/.env HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: SonyEricssonK800i/R1CB Browser/NetFront/3.3 Profile/MIDP-2.0 Conf
Requête brute (extrait)
GET /laravel/.env HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: SonyEricssonK800i/R1CB Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "env",
"http_ua_hash": "5c3c2a2513d182b758a3764b7825bbdef04ac8ad",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "8a8ae205bd806a11f7ace50730b7c0a8ef76120d",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 233,
"payload_entropy": 5.277175928505276,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 88,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.9,
"risk_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 66,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "21b829a8a63ec5ecbf1dc568dd390b44fb529bdb",
"event_fingerprint": "5fa5a188ff89d8f4f70c787fa124e3305ecea532",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "79835db275171036b9aa0d507d436a82",
"payload_hash": "752ca6b24cb3fe3f493c5527f3cca3e5",
"path_pattern_hash": "792fa580b048927b1e082634fc8cda9c"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 66
},
"payload_preview": "GET \/laravel\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SonyEricssonK800i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Conf",
"method": "GET",
"path": "\/laravel\/.env",
"user_agent": "SonyEricssonK800i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"nosqli-3",
"leak-1"
],
"request_line": "GET \/laravel\/.env HTTP\/1.1",
"request_sample": "GET \/laravel\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SonyEricssonK800i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/laravel\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SonyEricssonK800i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Conf",
"evidence": {
"method": "GET",
"path": "\/laravel\/.env",
"user_agent": "SonyEricssonK800i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"nosqli-3",
"leak-1"
],
"request_line": "GET \/laravel\/.env HTTP\/1.1",
"request_sample": "GET \/laravel\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SonyEricssonK800i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/laravel\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SonyEricssonK800i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Conf",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2ba7e0cf3710bd574cff7375ae7c20939d2221ea",
"protocol_details": {
"http_method": "GET",
"http_path": "\/laravel\/.env",
"request_line": "GET \/laravel\/.env HTTP\/1.1",
"http_user_agent": "SonyEricssonK800i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/laravel\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SonyEricssonK800i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Conf",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/laravel\/.env",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 66,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/laravel\/.env",
"request_line": "GET \/laravel\/.env HTTP\/1.1",
"http_user_agent": "SonyEricssonK800i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/laravel\/.env",
"evidence_snippet": "GET \/laravel\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SonyEricssonK800i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Conf",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 88 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /portal/.env
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /portal/.env UA Mozilla/5.0 (Linux; U; Android 2.0; en-us; Droid Build/ESD20) A…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/portal/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/portal/.env
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /portal/.env HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; U; Android 2.0; en-us; Droid Build/ESD20) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /portal/.env HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (Linux; U; Android 2.0; en-us; Droid Build/ESD20) Appl
Requête brute (extrait)
GET /portal/.env HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (Linux; U; Android 2.0; en-us; Droid Build/ESD20) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: c
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "env",
"http_ua_hash": "5293452ed8d7216a03ae39f1716f94c020355bda",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "25e9d50bacd292841afcec6b93bcba6a1f6790d4",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 264,
"payload_entropy": 5.394373709525094,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.2,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "a73c241f6cd9fb17715691ca7a29663b6ed74ffd",
"event_fingerprint": "3ab105199a3d6e0218ff5743b6484beeb4d25179",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "14ceea9fa263d8dc8fc78f91cead5a61",
"payload_hash": "853287dfb6b03640902d9d912837de7d",
"path_pattern_hash": "8432e822d78216a6822b5a443dbf894c"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/ESD20) Appl",
"method": "GET",
"path": "\/portal\/.env",
"user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/ESD20) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/portal\/.env HTTP\/1.1",
"request_sample": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/ESD20) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c",
"payload_snippet": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/ESD20) Appl",
"evidence": {
"method": "GET",
"path": "\/portal\/.env",
"user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/ESD20) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/portal\/.env HTTP\/1.1",
"request_sample": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/ESD20) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c",
"payload_snippet": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/ESD20) Appl",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5d79792dc0232e5700861d7ac3a9cd07ba31b7a2",
"protocol_details": {
"http_method": "GET",
"http_path": "\/portal\/.env",
"request_line": "GET \/portal\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/ESD20) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/ESD20) Appl",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/portal\/.env",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/portal\/.env",
"request_line": "GET \/portal\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/ESD20) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/portal\/.env",
"evidence_snippet": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/ESD20) Appl",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /temp/.env
Élevée
Moyen · 58
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /temp/.env UA CSSCheck/1.2.2
Émulateur
HTTP
WAF
14
Recommandation
Investiguer
Tags
950468:nosqli-3
950514:leak-1
http_backup_file_scan
http_sensitive_path
Cible HTTP
GET
/temp/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/temp/.env
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 58
Confiance : Confiance 100 % — Motif catalogue confirmé · 2 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /temp/.env HTTP/1.1
User-Agent
CSSCheck/1.2.2
Règles WAF
nosqli-3
leak-1
Payload (extrait)
GET /temp/.env HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: CSSCheck/1.2.2
Accept-Charset: utf-8
Accept-Encoding: gzip
Connec
Requête brute (extrait)
GET /temp/.env HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: CSSCheck/1.2.2 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "env",
"http_ua_hash": "cb8594eccbdf56c7162c02a2893c5d365580e0fb",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "a617862b9702a5eb0473c44d9afaf4e0da55a075",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 143,
"payload_entropy": 5.085499177918523,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 64,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.5,
"risk_breakdown": {
"waf": 64,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 58,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "b74724b237be9e3e3749ec2d3e65802dfeac8c03",
"event_fingerprint": "7c6af3ed281faa6299bb90a7129bece3a345d498",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 64,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 58,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d6a74c534e4f9257281a7fcee14cd5e3",
"payload_hash": "b2fa05043d6e14fd7c9b424a13860996",
"path_pattern_hash": "75ee17153df3d0dbe793fbb0bd486a6b"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 58
},
"payload_preview": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec",
"method": "GET",
"path": "\/temp\/.env",
"user_agent": "CSSCheck\/1.2.2",
"waf_tags": [
"950468:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"nosqli-3",
"leak-1"
],
"request_line": "GET \/temp\/.env HTTP\/1.1",
"request_sample": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec",
"evidence": {
"method": "GET",
"path": "\/temp\/.env",
"user_agent": "CSSCheck\/1.2.2",
"waf_tags": [
"950468:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"nosqli-3",
"leak-1"
],
"request_line": "GET \/temp\/.env HTTP\/1.1",
"request_sample": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8648935e41161f96ee40647b4963054c6a628447",
"protocol_details": {
"http_method": "GET",
"http_path": "\/temp\/.env",
"request_line": "GET \/temp\/.env HTTP\/1.1",
"http_user_agent": "CSSCheck\/1.2.2",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/temp\/.env",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 64,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 58,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 58,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/temp\/.env",
"request_line": "GET \/temp\/.env HTTP\/1.1",
"http_user_agent": "CSSCheck\/1.2.2",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/temp\/.env",
"evidence_snippet": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: CSSCheck\/1.2.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 64 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950468:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /.env.local
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /.env.local UA Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit/125…
Émulateur
HTTP
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950514:leak-1
http_backup_file_scan
Cible HTTP
GET
/.env.local
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/.env.local
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
pat-0191
pat-0193
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
Probe /.env
Probe /.env.local
Ligne de requête
GET /.env.local HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit/125.4 (KHTML, like Gecko, Safari) OmniWeb/v563.15
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /.env.local HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit/125.4 (
Requête brute (extrait)
GET /.env.local HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit/125.4 (KHTML, like Gecko, Safari) OmniWeb/v563.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "local",
"http_ua_hash": "12c925cde932675ad2d938b73ea9509ae86f897b",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "1bd3d14a0dcd500ff7a77dd7b961ff8960851334",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 239,
"payload_entropy": 5.40155770829961,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 92,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.2,
"risk_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "d7d4a32ca31677cba821961cc31e93d8b67f8f95",
"event_fingerprint": "dda13851dbc0609ad22b66e0a037a861bab6e8a7",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 325,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"pat-0193",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"pat-0193",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0191",
"pat-0193"
],
"matched_pattern_names": [
"Probe \/.env",
"Probe \/.env.local"
],
"pattern_ids": [
"pat-0191",
"pat-0193"
],
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "1cabf74e242074910d5c90bc3f85c1e5",
"payload_hash": "90a2ca7ee82a022864230e8a6e79f84e",
"path_pattern_hash": "b9c24fc1b97f40588adfd0796c248786"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit\/125.4 (",
"method": "GET",
"path": "\/.env.local",
"user_agent": "Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit\/125.4 (KHTML, like Gecko, Safari) OmniWeb\/v563.15",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/.env.local HTTP\/1.1",
"request_sample": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit\/125.4 (KHTML, like Gecko, Safari) OmniWeb\/v563.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit\/125.4 (",
"evidence": {
"method": "GET",
"path": "\/.env.local",
"user_agent": "Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit\/125.4 (KHTML, like Gecko, Safari) OmniWeb\/v563.15",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/.env.local HTTP\/1.1",
"request_sample": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit\/125.4 (KHTML, like Gecko, Safari) OmniWeb\/v563.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit\/125.4 (",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6a34ce2a4f9f6036ef78756be61165b2c8bf33f5",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.local",
"request_line": "GET \/.env.local HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit\/125.4 (KHTML, like Gecko, Safari) OmniWeb\/v563.15",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit\/125.4 (",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.local",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"pat-0193"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"pat-0191",
"pat-0193"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.local",
"request_line": "GET \/.env.local HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit\/125.4 (KHTML, like Gecko, Safari) OmniWeb\/v563.15",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.local",
"evidence_snippet": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit\/125.4 (",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_probe_env_local",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /.env.uat
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /.env.uat UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleW…
Émulateur
HTTP
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950514:leak-1
http_backup_file_scan
Cible HTTP
GET
/.env.uat
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/.env.uat
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
pat-0191
Upstream
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
Probe /.env
Ligne de requête
GET /.env.uat HTTP/1.1
User-Agent
Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /.env.uat HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit/
Requête brute (extrait)
GET /.env.uat HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection:
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "uat",
"http_ua_hash": "4737e24dda37aab369cbf3ed897e4ff429612299",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "66d1899261b7971a064fb81964052eae4ab44ccb",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 265,
"payload_entropy": 5.37887564545597,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 92,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.9,
"risk_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 67,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "b875101184ca8e009be080b6a393fd58f53ce233",
"event_fingerprint": "6198a327097f6015d87fbefca6be1b9a9cdf438e",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 270,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0191"
],
"matched_pattern_names": [
"Probe \/.env"
],
"pattern_ids": [
"pat-0191"
],
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "62524c20a1e6cdfa5b4f1f9883764e3c",
"payload_hash": "f269847e9aba90797db6807e1be57d3e",
"path_pattern_hash": "ae4cb14da8dffdd0fce54bdc9802bc13"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/.env.uat HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/",
"method": "GET",
"path": "\/.env.uat",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/15E148 Safari\/604.1",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/.env.uat HTTP\/1.1",
"request_sample": "GET \/.env.uat HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/15E148 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ",
"payload_snippet": "GET \/.env.uat HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/",
"evidence": {
"method": "GET",
"path": "\/.env.uat",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/15E148 Safari\/604.1",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/.env.uat HTTP\/1.1",
"request_sample": "GET \/.env.uat HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/15E148 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ",
"payload_snippet": "GET \/.env.uat HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1152441977e689e4ce2d833494ed80ec6225c78d",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.uat",
"request_line": "GET \/.env.uat HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/1\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.env.uat HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.uat",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"pat-0191",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.uat",
"request_line": "GET \/.env.uat HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/1\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.uat",
"evidence_snippet": "GET \/.env.uat HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /.env.dev
Élevée
Moyen · 49
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /.env.dev UA SuperBot/4.4.0.60 (Windows XP)
Émulateur
HTTP
WAF
8
Recommandation
Surveiller
Tags
950514:leak-1
http_backup_file_scan
http_sensitive_path
net_flood
Cible HTTP
GET
/.env.dev
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/.env.dev
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « leak-1 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 49
Confiance : Confiance 100 % — Motif catalogue confirmé · 1 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
pat-0191
Upstream
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
Probe /.env
Ligne de requête
GET /.env.dev HTTP/1.1
User-Agent
SuperBot/4.4.0.60 (Windows XP)
Règles WAF
leak-1
Payload (extrait)
GET /.env.dev HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: SuperBot/4.4.0.60 (Windows XP)
Accept-Charset: utf-8
Accept-Encodin
Requête brute (extrait)
GET /.env.dev HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: SuperBot/4.4.0.60 (Windows XP) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "dev",
"http_ua_hash": "03445952c518f6755b1bc6de6b84e5c811b4f8a5",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "a499321530f3e4ddd283e6792cf6d67b1e7cfe88",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 158,
"payload_entropy": 5.196836841463225,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 40,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 40,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 49,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "193016729b5974e073f09890189b8377cff9b88f",
"event_fingerprint": "33d3370749eb701da0f4e1f2136a7f7f0e311f5b",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab leak-1 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 240,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream"
],
"matched_patterns": [
"pat-0191"
],
"matched_pattern_names": [
"Probe \/.env"
],
"pattern_ids": [
"pat-0191"
],
"confidence_breakdown": {
"waf": 40,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 49,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "82a0cea2412ff8dfa5f8ad72409a36a9",
"payload_hash": "748342b91902ad4239fc4850085caefe",
"path_pattern_hash": "ceb221ca10f5b573c09ea91320781e08"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 49
},
"payload_preview": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SuperBot\/4.4.0.60 (Windows XP)\r\nAccept-Charset: utf-8\r\nAccept-Encodin",
"method": "GET",
"path": "\/.env.dev",
"user_agent": "SuperBot\/4.4.0.60 (Windows XP)",
"waf_tags": [
"950514:leak-1"
],
"waf_rule_names": [
"leak-1"
],
"request_line": "GET \/.env.dev HTTP\/1.1",
"request_sample": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SuperBot\/4.4.0.60 (Windows XP)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SuperBot\/4.4.0.60 (Windows XP)\r\nAccept-Charset: utf-8\r\nAccept-Encodin",
"evidence": {
"method": "GET",
"path": "\/.env.dev",
"user_agent": "SuperBot\/4.4.0.60 (Windows XP)",
"waf_tags": [
"950514:leak-1"
],
"waf_rule_names": [
"leak-1"
],
"request_line": "GET \/.env.dev HTTP\/1.1",
"request_sample": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SuperBot\/4.4.0.60 (Windows XP)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SuperBot\/4.4.0.60 (Windows XP)\r\nAccept-Charset: utf-8\r\nAccept-Encodin",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab leak-1 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6b15c9abf84641a349f3582dca115681985a6ace",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.dev",
"request_line": "GET \/.env.dev HTTP\/1.1",
"http_user_agent": "SuperBot\/4.4.0.60 (Windows XP)",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SuperBot\/4.4.0.60 (Windows XP)\r\nAccept-Charset: utf-8\r\nAccept-Encodin",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.dev",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 1 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab leak-1 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab leak-1 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 40,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 49,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 49,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"pat-0191",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.dev",
"request_line": "GET \/.env.dev HTTP\/1.1",
"http_user_agent": "SuperBot\/4.4.0.60 (Windows XP)",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.dev",
"evidence_snippet": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: SuperBot\/4.4.0.60 (Windows XP)\r\nAccept-Charset: utf-8\r\nAccept-Encodin",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 1 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 40 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /.env.default
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /.env.default UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537…
Émulateur
HTTP
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950514:leak-1
http_backup_file_scan
Cible HTTP
GET
/.env.default
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/.env.default
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
pat-0191
Upstream
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
Probe /.env
Ligne de requête
GET /.env.default HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.110 Safari/537.36 Vivaldi/2.7.1628.28
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /.env.default HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.3
Requête brute (extrait)
GET /.env.default HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.110 Safari/537.36 Vivaldi/2.7.1628.28 Accept-Charset: utf-8 Accept-Encoding: gzip Conn
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "default",
"http_ua_hash": "9aeccaa7bdc0439829b125e59d7df5cb1d00f025",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "437476297bcc04ccaf487ff217e9f02a35247fa6",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 273,
"payload_entropy": 5.445104524654757,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 92,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.9,
"risk_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 67,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "b875101184ca8e009be080b6a393fd58f53ce233",
"event_fingerprint": "4ed4f5bbf772fc0e40684ec8d85d477718912b34",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 270,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0191"
],
"matched_pattern_names": [
"Probe \/.env"
],
"pattern_ids": [
"pat-0191"
],
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ac7c8da3241a34ed1c17cc411c48aee8",
"payload_hash": "9db11b29346cacdaf23a534e9b3fc16b",
"path_pattern_hash": "ef22944b80bfbabaa71a03775ffca265"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.3",
"method": "GET",
"path": "\/.env.default",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.110 Safari\/537.36 Vivaldi\/2.7.1628.28",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/.env.default HTTP\/1.1",
"request_sample": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.110 Safari\/537.36 Vivaldi\/2.7.1628.28\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn",
"payload_snippet": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.3",
"evidence": {
"method": "GET",
"path": "\/.env.default",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.110 Safari\/537.36 Vivaldi\/2.7.1628.28",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/.env.default HTTP\/1.1",
"request_sample": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.110 Safari\/537.36 Vivaldi\/2.7.1628.28\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn",
"payload_snippet": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.3",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dbb4e515edf9e266481043f66fd2f6bee77f9271",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.default",
"request_line": "GET \/.env.default HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.110 Safari\/537.\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.3",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.default",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"pat-0191",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.default",
"request_line": "GET \/.env.default HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.110 Safari\/537.\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.default",
"evidence_snippet": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.3",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /.env.example
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /.env.example UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/605…
Émulateur
HTTP
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950514:leak-1
http_backup_file_scan
Cible HTTP
GET
/.env.example
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/.env.example
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
pat-0191
Upstream
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
Probe /.env
Ligne de requête
GET /.env.example HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /.env.example HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/605.1
Requête brute (extrait)
GET /.env.example HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "example",
"http_ua_hash": "e927dd779001199eaf2d6efd910fcf650cf2b826",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "080963ef62d711207d0e68706f04d0705ec4d7fa",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 251,
"payload_entropy": 5.35635460147603,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 92,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.9,
"risk_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 67,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "b875101184ca8e009be080b6a393fd58f53ce233",
"event_fingerprint": "ace41bdfa915376c607ad03ecd4a13975251c4d6",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 270,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0191"
],
"matched_pattern_names": [
"Probe \/.env"
],
"pattern_ids": [
"pat-0191"
],
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "11475c2e17a7d058b47d1364ed362417",
"payload_hash": "dfed873f16fe6fb542bc10ca647567b8",
"path_pattern_hash": "f8bf22cb3ab23601599be7f21fa00aee"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1",
"method": "GET",
"path": "\/.env.example",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1.2 Safari\/605.1.15",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/.env.example HTTP\/1.1",
"request_sample": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1",
"evidence": {
"method": "GET",
"path": "\/.env.example",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1.2 Safari\/605.1.15",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/.env.example HTTP\/1.1",
"request_sample": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3eb1ffde2e37db02a2d682d8963c168aa69f9b59",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.example",
"request_line": "GET \/.env.example HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1.2 Safari\/605.1.15",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.example",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"pat-0191",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.example",
"request_line": "GET \/.env.example HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1.2 Safari\/605.1.15",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.example",
"evidence_snippet": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /.env.development.local
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /.env.development.local UA Mozilla/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWeb…
Émulateur
HTTP
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950514:leak-1
http_backup_file_scan
Cible HTTP
GET
/.env.development.local
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/.env.development.local
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
pat-0191
Upstream
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
Probe /.env
Ligne de requête
GET /.env.development.local HTTP/1.1
User-Agent
Mozilla/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A346 Safari/602.1
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /.env.development.local HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X)
Requête brute (extrait)
GET /.env.development.local HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A346 Safari/602.1 Accept-Charset: utf-8 Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "local",
"http_ua_hash": "8bdd51946a43293fbf9e2d2927f2bf22d3fe1c14",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "44b27fcf42134edd5dc872c2c6f931dc026ceb76",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 277,
"payload_entropy": 5.348058665840795,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 92,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.9,
"risk_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 67,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "b875101184ca8e009be080b6a393fd58f53ce233",
"event_fingerprint": "760897c34f45b3d8d0459ce4fc9442e6970571e7",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 270,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0191"
],
"matched_pattern_names": [
"Probe \/.env"
],
"pattern_ids": [
"pat-0191"
],
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a15647e627b64dcad9c8f35ee8e9e677",
"payload_hash": "5a01562446c81a83a18fc3cb9b74c774",
"path_pattern_hash": "66b5346fea2c0f881a6004f5150ea85e"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) ",
"method": "GET",
"path": "\/.env.development.local",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit\/602.1.50 (KHTML, like Gecko) Version\/10.0 Mobile\/14A346 Safari\/602.1",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/.env.development.local HTTP\/1.1",
"request_sample": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit\/602.1.50 (KHTML, like Gecko) Version\/10.0 Mobile\/14A346 Safari\/602.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\n",
"payload_snippet": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X)",
"evidence": {
"method": "GET",
"path": "\/.env.development.local",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit\/602.1.50 (KHTML, like Gecko) Version\/10.0 Mobile\/14A346 Safari\/602.1",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/.env.development.local HTTP\/1.1",
"request_sample": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit\/602.1.50 (KHTML, like Gecko) Version\/10.0 Mobile\/14A346 Safari\/602.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\n",
"payload_snippet": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X)",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "44f6872e4f1c93c10d1cd84e13316f5adcb5aeea",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.development.local",
"request_line": "GET \/.env.development.local HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit\/602.1.50 (KHTML, like Gecko) Version\/10.0 Mobile\/14A\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X)",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.development.local",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"pat-0191",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.development.local",
"request_line": "GET \/.env.development.local HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit\/602.1.50 (KHTML, like Gecko) Version\/10.0 Mobile\/14A\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.development.local",
"evidence_snippet": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X)",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /private/.env.production
Élevée
Élevé · 71
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /private/.env.production UA Mozilla/5.0 (Linux; Android 9; Mi A2 Lite) AppleWebKit/537.36 (…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/private/.env.production
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/private/.env.production
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 71
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /private/.env.production HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; Mi A2 Lite) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /private/.env.production HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (Linux; Android 9; Mi A2 Lite) AppleWebKit
Requête brute (extrait)
GET /private/.env.production HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (Linux; Android 9; Mi A2 Lite) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection:
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "production",
"http_ua_hash": "5653c56a7f11544f13e407297b45d1e522ae096b",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "733a894b07d9b79b5b4ab7169336337873d659bc",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 266,
"payload_entropy": 5.350848364950751,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.6,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 71,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "12aef3e2a1c623e19bc2bfa20a301f39b8be969d",
"event_fingerprint": "998a81c2b3780cb02456566bea86aeb7f92721a1",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "de0255e15b0b671ae4dc62919091c67c",
"payload_hash": "ceb798139e58900c2daac367c635e56d",
"path_pattern_hash": "d172a4f1c2b0f77cc0bf21a5051067d5"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 71
},
"payload_preview": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi A2 Lite) AppleWebKit",
"method": "GET",
"path": "\/private\/.env.production",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; Mi A2 Lite) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/private\/.env.production HTTP\/1.1",
"request_sample": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi A2 Lite) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:",
"payload_snippet": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi A2 Lite) AppleWebKit",
"evidence": {
"method": "GET",
"path": "\/private\/.env.production",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; Mi A2 Lite) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/private\/.env.production HTTP\/1.1",
"request_sample": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi A2 Lite) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:",
"payload_snippet": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi A2 Lite) AppleWebKit",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "83e774066f8d7e32e4f7a8b239a63b46fa148907",
"protocol_details": {
"http_method": "GET",
"http_path": "\/private\/.env.production",
"request_line": "GET \/private\/.env.production HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Mi A2 Lite) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/53\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi A2 Lite) AppleWebKit",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private\/.env.production",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 71,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/private\/.env.production",
"request_line": "GET \/private\/.env.production HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Mi A2 Lite) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/53\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private\/.env.production",
"evidence_snippet": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi A2 Lite) AppleWebKit",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_probe_private",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /server/.env.backup
Élevée
Élevé · 70
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /server/.env.backup UA Mozilla/5.0 (Linux; Android 9; SM-G950F) AppleWebKit/537.36 (KH…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/server/.env.backup
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/server/.env.backup
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 70
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /server/.env.backup HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; SM-G950F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /server/.env.backup HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G950F) AppleWebKit/537.36
Requête brute (extrait)
GET /server/.env.backup HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G950F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "backup",
"http_ua_hash": "313d04a6271d72d8bdffdf729f500205ab4255ef",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "a6afd16dcc7e295164dcac142437708cf1e776d5",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 259,
"payload_entropy": 5.434749507159097,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.2,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 70,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "a73c241f6cd9fb17715691ca7a29663b6ed74ffd",
"event_fingerprint": "28698fc87fe2fba60dab79501c532f7ba43a411d",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a8d77e7f4c0c03c9696794aa1e4b22a3",
"payload_hash": "c38f319866d7120ef2d27fb16482e163",
"path_pattern_hash": "25c668888eb11fc8c703644010d4b817"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 70
},
"payload_preview": "GET \/server\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36",
"method": "GET",
"path": "\/server\/.env.backup",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/server\/.env.backup HTTP\/1.1",
"request_sample": "GET \/server\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r",
"payload_snippet": "GET \/server\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36",
"evidence": {
"method": "GET",
"path": "\/server\/.env.backup",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/server\/.env.backup HTTP\/1.1",
"request_sample": "GET \/server\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r",
"payload_snippet": "GET \/server\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ddf089e09a92f39eee694c082cbff8c81d672d19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/server\/.env.backup",
"request_line": "GET \/server\/.env.backup HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/server\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/.env.backup",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 70,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 70,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/server\/.env.backup",
"request_line": "GET \/server\/.env.backup HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server\/.env.backup",
"evidence_snippet": "GET \/server\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950F) AppleWebKit\/537.36",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /api/.env.bak
Élevée
Élevé · 71
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /api/.env.bak UA Mozilla/5.0 (Linux; Android 4.4.2; LGMS323 Build/KOT49I.MS32310…
Émulateur
HTTP
WAF
39
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/api/.env.bak
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/api/.env.bak
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 71
Confiance : Confiance 100 % — Motif catalogue confirmé · 6 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /api/.env.bak HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 4.4.2; LGMS323 Build/KOT49I.MS32310b) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.103 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-1
leak-8
k8s-api
Payload (extrait)
GET /api/.env.bak HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; LGMS323 Build/KOT49I.MS32310b)
Requête brute (extrait)
GET /api/.env.bak HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; LGMS323 Build/KOT49I.MS32310b) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.103 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "bak",
"http_ua_hash": "d82ab0faecaad77cf954d38ae9390fdfb5e7055d",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "db58915b70ec4f4897682eec5a7fd50dc2102271",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 278,
"payload_entropy": 5.475285653114463,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.8,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 71,
"tag_count": 11,
"anomaly_count": 0,
"campaign_key": "27461de6b4596030bc8f3bd4daab41d85f008c7a",
"event_fingerprint": "ab0e72b7c42e37eb581e508cef30eb1a7cfd7592",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "83345b8927d5b950b885688fcf1a7549",
"payload_hash": "ee3d1c8a864b06ea051e3901d05957d9",
"path_pattern_hash": "704472054da186f49a4245e261c91fda"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 71
},
"payload_preview": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b)",
"method": "GET",
"path": "\/api\/.env.bak",
"user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.103 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950521:leak-8",
"950600:k8s-api"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1",
"leak-8",
"k8s-api"
],
"request_line": "GET \/api\/.env.bak HTTP\/1.1",
"request_sample": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.103 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r",
"payload_snippet": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b)",
"evidence": {
"method": "GET",
"path": "\/api\/.env.bak",
"user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.103 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950521:leak-8",
"950600:k8s-api"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1",
"leak-8",
"k8s-api"
],
"request_line": "GET \/api\/.env.bak HTTP\/1.1",
"request_sample": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.103 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r",
"payload_snippet": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b)",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b7fc9b40da671e88fbfb23c80d25d9ddc39bc680",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.env.bak",
"request_line": "GET \/api\/.env.bak HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.15\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b)",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.bak",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 71,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.env.bak",
"request_line": "GET \/api\/.env.bak HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.15\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.bak",
"evidence_snippet": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; LGMS323 Build\/KOT49I.MS32310b)",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 6 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950521:leak-8",
"950600:k8s-api",
"http_backup_file_scan",
"http_backup_path",
"http_probe_api",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /.env.test
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /.env.test UA Mozilla/5.0 (X11; Linux i686; rv:32.0) Gecko/20100101 Firefox/3…
Émulateur
HTTP
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950514:leak-1
http_backup_file_scan
Cible HTTP
GET
/.env.test
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/.env.test
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
pat-0191
Upstream
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
Probe /.env
Ligne de requête
GET /.env.test HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux i686; rv:32.0) Gecko/20100101 Firefox/32.0
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /.env.test HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:32.0) Gecko/20100101 Firefox/32.0
Requête brute (extrait)
GET /.env.test HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:32.0) Gecko/20100101 Firefox/32.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "test",
"http_ua_hash": "51be3634ba4e4a58df8e12f83430a343c74959ff",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "4e40a92f813d5ab41a0033a3846a1a977ff1de23",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 195,
"payload_entropy": 5.23395620438474,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 92,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.9,
"risk_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 67,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "b875101184ca8e009be080b6a393fd58f53ce233",
"event_fingerprint": "5c66a087bbeb56facdeeee9ef497171a4d6f1a21",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 270,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0191"
],
"matched_pattern_names": [
"Probe \/.env"
],
"pattern_ids": [
"pat-0191"
],
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "5285b277d72c4ac82f931a2157ac21b8",
"payload_hash": "f90bebae5dfdc74e221a5f1251504b7b",
"path_pattern_hash": "d0f775cf96d71b1d76da4d08e462f07a"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0\r\n",
"method": "GET",
"path": "\/.env.test",
"user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/.env.test HTTP\/1.1",
"request_sample": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0",
"evidence": {
"method": "GET",
"path": "\/.env.test",
"user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/.env.test HTTP\/1.1",
"request_sample": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7ae4b12992878e04fdf342c212dd204729172a5c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.test",
"request_line": "GET \/.env.test HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.test",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"pat-0191",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.test",
"request_line": "GET \/.env.test HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.test",
"evidence_snippet": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /internal/.env.production
Élevée
Élevé · 71
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /internal/.env.production UA Mozilla/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko/20100101 Fir…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/internal/.env.production
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/internal/.env.production
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 71
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /internal/.env.production HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko/20100101 Firefox/4.2a1pre
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /internal/.env.production HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko/20
Requête brute (extrait)
GET /internal/.env.production HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko/20100101 Firefox/4.2a1pre Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "production",
"http_ua_hash": "1609cb7afc4818ecfa4fd09f4a99f4b7f89776de",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "d290e289983be8731f71ebf018001c11bad4ee88",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 220,
"payload_entropy": 5.277568141635929,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.6,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 71,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "7725643a306823b5e53c30c11a431085dad271be",
"event_fingerprint": "08420717ab1010fbb55b1672b52e87ef0660df6a",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "9f7bf7e48d3f63c5e0e8476feb345376",
"payload_hash": "3429a3074d3238ff7a97d0bc242f1945",
"path_pattern_hash": "82c27c01e593b4c327a9fce0421e0d53"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 71
},
"payload_preview": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20",
"method": "GET",
"path": "\/internal\/.env.production",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Firefox\/4.2a1pre",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/internal\/.env.production HTTP\/1.1",
"request_sample": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Firefox\/4.2a1pre\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20",
"evidence": {
"method": "GET",
"path": "\/internal\/.env.production",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Firefox\/4.2a1pre",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/internal\/.env.production HTTP\/1.1",
"request_sample": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Firefox\/4.2a1pre\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1bd0c93ee0b53d3cadcd77d7c26b81949e2d9e19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/internal\/.env.production",
"request_line": "GET \/internal\/.env.production HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Firefox\/4.2a1pre",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/.env.production",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 71,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/internal\/.env.production",
"request_line": "GET \/internal\/.env.production HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20100101 Firefox\/4.2a1pre",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/.env.production",
"evidence_snippet": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko\/20",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_probe_internal",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /private/.env
Élevée
Élevé · 71
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /private/.env UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWeb…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/private/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/private/.env
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 71
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /private/.env HTTP/1.1
User-Agent
Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /private/.env HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKi
Requête brute (extrait)
GET /private/.env HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1 Accept-Charset: utf-8 Accept-Encoding: gzip Conn
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "env",
"http_ua_hash": "2bfbe271706a862f6724b92d23435ed5f9e6cb45",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "42ecb4d5f4be7b556e157ee15a288da92dfb0e45",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 273,
"payload_entropy": 5.394102195944671,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 7.6,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 71,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "12aef3e2a1c623e19bc2bfa20a301f39b8be969d",
"event_fingerprint": "5dcc0e45809a6e46aa2bde7951ffc49fda261095",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "470d3fdd8e48dbfcf47545bf77c6e6cc",
"payload_hash": "63dcf42b0748bed3fee8eb0185a9f8eb",
"path_pattern_hash": "467844c5e65593cac952660a5e740364"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 71
},
"payload_preview": "GET \/private\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKi",
"method": "GET",
"path": "\/private\/.env",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/private\/.env HTTP\/1.1",
"request_sample": "GET \/private\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn",
"payload_snippet": "GET \/private\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKi",
"evidence": {
"method": "GET",
"path": "\/private\/.env",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/private\/.env HTTP\/1.1",
"request_sample": "GET \/private\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn",
"payload_snippet": "GET \/private\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKi",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8459f67cd51713400b942b24f0a03c341dd96e61",
"protocol_details": {
"http_method": "GET",
"http_path": "\/private\/.env",
"request_line": "GET \/private\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobi\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/private\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKi",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private\/.env",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 71\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 71,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 71,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/private\/.env",
"request_line": "GET \/private\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobi\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private\/.env",
"evidence_snippet": "GET \/private\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKi",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_probe_private",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:42:31 UTC
TCP
8090 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8090 · (tentative d'exploit) · → /.env.live
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /.env.live UA Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KH…
Émulateur
HTTP
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950514:leak-1
http_backup_file_scan
Cible HTTP
GET
/.env.live
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8090
Chemin / cible
/.env.live
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
pat-0191
Upstream
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
Probe /.env
Ligne de requête
GET /.env.live HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /.env.live HTTP/1.1
Host: 62.3.50.33:8090
User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTML,
Requête brute (extrait)
GET /.env.live HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "live",
"http_ua_hash": "521eae25998e470859810ebe6a8a836051c1b2aa",
"http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b",
"http_target_hash": "6ac4c96f7567e632cc17c82931a457152d6117b9",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 250,
"payload_entropy": 5.419706736870088,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8090,
"risk_waf": 92,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.9,
"risk_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 67,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "b875101184ca8e009be080b6a393fd58f53ce233",
"event_fingerprint": "4be942c31de9cdccb546e3517c1c0af8b0c625e6",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 270,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0191"
],
"matched_pattern_names": [
"Probe \/.env"
],
"pattern_ids": [
"pat-0191"
],
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "9b2ce34d57c38b17869871ab02145de0",
"payload_hash": "b12da4a9a4ab24b1678755ed1ec05085",
"path_pattern_hash": "0bb869934ccc3c32135ba9dd6550d1cf"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/.env.live HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, ",
"method": "GET",
"path": "\/.env.live",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/.env.live HTTP\/1.1",
"request_sample": "GET \/.env.live HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.env.live HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML,",
"evidence": {
"method": "GET",
"path": "\/.env.live",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/.env.live HTTP\/1.1",
"request_sample": "GET \/.env.live HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.env.live HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML,",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "51d2fdcc9c7a5f08f826e82f0e59ee18a5cedde2",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.live",
"request_line": "GET \/.env.live HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.env.live HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML,",
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.live",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"pat-0191",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.live",
"request_line": "GET \/.env.live HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8090 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.live",
"evidence_snippet": "GET \/.env.live HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML,",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8090"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}