|
|
TCP |
5601 · KIBANA
|
kibana
|
Sonde PostgreSQL
postgres probe · via KIBANA:5601 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
KIBANA
WAF
—
Recommandation
Surveiller
Tags
kibana_emulated
net_kibana_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5601
Chemin / cible
—
Service
KIBANA
Payload
�����������+���7ċb������4����u�y��<�#vc�[� �S�L���HĠ��D�����p�7]�쟊��f��J���+�/�,�0̨̩� ��� �����������m� ������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������+���7ċb������4����u�y��<�#vc�[� �S�L���HĠ��D�����p�7]�쟊��f��J���+�/�,�0̨̩� ���
�����������m�����������������
Requête brute (extrait)
�����������+���7ċb������4����u�y��<�#vc�[� �S�L���HĠ��D�����p�7]�쟊��f��J���+�/�,�0̨̩� ��� �����������m� ��������������������������� � � ����������� �������������������������2��������������������������������� �h2�http/1.1�+��������3��������LRn��hL6~@�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a6b626e2d6e616d653a20686f6e6579706f742d6b6962616e610d0a6b626e2d76657273696f6e3a20382e31312e300d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2034340d0a0d0a7b2273746174757322",
"emulator_response_len": 163,
"bytes_in": 1497,
"payload_entropy": 7.724519722552748,
"port_category": "registered",
"org": "Google LLC",
"service": "kibana",
"app_proto": "kibana",
"asn": 396982,
"country": "US",
"dst_port": 5601,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "596002711a0eb0a4f35b7d18a0ad8be3baf85baf",
"event_fingerprint": "2e1f529c61b64068b719daaa760380b1c25ad6a1",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "kibana",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a9dc320f5915f9e90191b9a0108c3dcd",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 5601,
"service": "kibana",
"service_name": "kibana",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003+\ufffd\ufffd\u001b7\u010bb\ufffd\u001d\u0004\ufffd\u0015\ufffd4\ufffd\ufffd\u001c\ufffdu\u001ey\ufffd\ufffd<\ufffd#vc\ufffd[\ufffd \ufffdS\ufffdL\ufffd\ufffd\ufffdH\u0120\ufffd\u000fD\ufffd\ufffd\u0011\ufffd\ufffdp\ufffd7]\ufffd\uc7ca\ufffd\u0007f\ufffd\ufffdJ\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005m\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003+\ufffd\ufffd\u001b7\u010bb\ufffd\u001d\u0004\ufffd\u0015\ufffd4\ufffd\ufffd\u001c\ufffdu\u001ey\ufffd\ufffd<\ufffd#vc\ufffd[\ufffd \ufffdS\ufffdL\ufffd\ufffd\ufffdH\u0120\ufffd\u000fD\ufffd\ufffd\u0011\ufffd\ufffdp\ufffd7]\ufffd\uc7ca\ufffd\u0007f\ufffd\ufffdJ\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005m\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffdLRn\ufffd\u001ahL6~@\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003+\ufffd\ufffd\u001b7\u010bb\ufffd\u001d\u0004\ufffd\u0015\ufffd4\ufffd\ufffd\u001c\ufffdu\u001ey\ufffd\ufffd<\ufffd#vc\ufffd[\ufffd \ufffdS\ufffdL\ufffd\ufffd\ufffdH\u0120\ufffd\u000fD\ufffd\ufffd\u0011\ufffd\ufffdp\ufffd7]\ufffd\uc7ca\ufffd\u0007f\ufffd\ufffdJ\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005m\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "34332005facd9363add5f7bd6b289b640652043b",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003+\ufffd\ufffd\u001b7\u010bb\ufffd\u001d\u0004\ufffd\u0015\ufffd4\ufffd\ufffd\u001c\ufffdu\u001ey\ufffd\ufffd<\ufffd#vc\ufffd[\ufffd \ufffdS\ufffdL\ufffd\ufffd\ufffdH\u0120\ufffd\u000fD\ufffd\ufffd\u0011\ufffd\ufffdp\ufffd7]\ufffd\uc7ca\ufffd\u0007f\ufffd\ufffdJ\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005m\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 5601,
"service": "kibana",
"service_label_fr": "KIBANA"
},
"evidence_snippet": "\ufffd\ufffd+\ufffd\ufffd7\u010bb\ufffd\ufffd\ufffd4\ufffd\ufffd\ufffduy\ufffd\ufffd<\ufffd#vc\ufffd[\ufffd \ufffdS\ufffdL\ufffd\ufffd\ufffdH\u0120\ufffdD\ufffd\ufffd\ufffd\ufffdp\ufffd7]\ufffd\uc7ca\ufffdf\ufffd\ufffdJ\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdm\ufffd",
"attack_vector": "postgres probe \u00b7 via KIBANA:5601 \u00b7 (sonde \/ probe)",
"target_port_label": "5601 \u00b7 KIBANA",
"emulator_service": "kibana",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "kibana",
"service_label_fr": "KIBANA",
"dst_port": 5601,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-kibana",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003+\ufffd\ufffd\u001b7\u010bb\ufffd\u001d\u0004\ufffd\u0015\ufffd4\ufffd\ufffd\u001c\ufffdu\u001ey\ufffd\ufffd<\ufffd#vc\ufffd[\ufffd \ufffdS\ufffdL\ufffd\ufffd\ufffdH\u0120\ufffd\u000fD\ufffd\ufffd\u0011\ufffd\ufffdp\ufffd7]\ufffd\uc7ca\ufffd\u0007f\ufffd\ufffdJ\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005m\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 5601,
"service": "kibana",
"service_label_fr": "KIBANA"
},
"attack_vector": "postgres probe \u00b7 via KIBANA:5601 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd+\ufffd\ufffd7\u010bb\ufffd\ufffd\ufffd4\ufffd\ufffd\ufffduy\ufffd\ufffd<\ufffd#vc\ufffd[\ufffd \ufffdS\ufffdL\ufffd\ufffd\ufffdH\u0120\ufffdD\ufffd\ufffd\ufffd\ufffdp\ufffd7]\ufffd\uc7ca\ufffdf\ufffd\ufffdJ\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdm\ufffd",
"target_port_label": "5601 \u00b7 KIBANA",
"emulator_service": "kibana",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "kibana",
"service_banner": "honeypot-kibana",
"service_os": "linux",
"dst_port": "5601"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"couchdb",
"http",
"kibana"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"kibana_emulated",
"net_kibana_probe",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5984 · COUCHDB
|
couchdb
|
couchdb probe
couchdb probe · via COUCHDB:5984 · (sonde / probe)
|
Élevée
|
Moyen · 49
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
COUCHDB
WAF
—
Recommandation
Surveiller
Tags
couchdb_emulated
couchdb_payload
couchdb_probe
couchdb_rest_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5984
Chemin / cible
—
Service
COUCHDB
Payload
GET /_all_dbs HTTP/1.1 Host: 62.3.50.33:5984 User-Agent: Mozilla/5.0 (compatible; EchelonGraph-Verify/1.0) Accept: applicatio
Pourquoi cette classification : Type « couchdb_probe » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 49
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Infra Couchdb Db
Upstream
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /_all_dbs HTTP/1.1
Host: 62.3.50.33:5984
User-Agent: Mozilla/5.0 (compatible; EchelonGraph-Verify/1.0)
Accept: applicatio
Requête brute (extrait)
GET /_all_dbs HTTP/1.1 Host: 62.3.50.33:5984 User-Agent: Mozilla/5.0 (compatible; EchelonGraph-Verify/1.0) Accept: application/json, text/plain, */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a20436f75636844422f332e332e33202845726c616e67204f5450290d0a582d436f75636844422d426f64792d54696d653a20300d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a20313534",
"emulator_response_len": 286,
"bytes_in": 178,
"payload_entropy": 5.298693772115052,
"port_category": "registered",
"org": "Google LLC",
"service": "couchdb",
"app_proto": "couchdb",
"asn": 396982,
"country": "US",
"dst_port": 5984,
"risk_waf": 8,
"risk_classification": 54,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 2.6,
"risk_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25
},
"risk_score": 49,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "1a714389d6d9067ad71ffae1e1380faa8f150387",
"event_fingerprint": "ff7d4ab9a5d149e36f724b4980f53d45ea707dff",
"classification_reason": "Type \u00ab couchdb_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 87,
"precision_signals": [
"INT-INFRA-couchdb-db",
"INT-upstream"
],
"kb_rule_ids": [
"INT-INFRA-couchdb-db",
"INT-upstream"
],
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 49
},
"named_classification_skipped": false,
"service_name": "couchdb",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "dfe2c7ffb91830bd1b31f20f4ff11f0a",
"path_pattern_hash": "ce747dac2688338e030a6b5f71103175"
},
"target_context": {
"dst_port": 5984,
"service": "couchdb",
"service_name": "couchdb",
"risk_score": 49
},
"payload_preview": "GET \/_all_dbs HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: applicatio",
"request_sample": "GET \/_all_dbs HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json, text\/plain, *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/_all_dbs HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: applicatio",
"evidence": {
"request_sample": "GET \/_all_dbs HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json, text\/plain, *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/_all_dbs HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: applicatio",
"classification_reason": "Type \u00ab couchdb_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "be4880b4a2c1f129a38ef1f371bf356aec3fd50a",
"protocol_details": {
"payload_preview": "GET \/_all_dbs HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: applicatio",
"port": 5984,
"service": "couchdb",
"service_label_fr": "COUCHDB"
},
"evidence_snippet": "GET \/_all_dbs HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: applicatio",
"attack_vector": "couchdb probe \u00b7 via COUCHDB:5984 \u00b7 (sonde \/ probe)",
"target_port_label": "5984 \u00b7 COUCHDB",
"emulator_service": "couchdb",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab couchdb_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab couchdb_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 49
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 49,
"risk_label": "Moyen",
"service_name": "couchdb",
"service_label_fr": "COUCHDB",
"dst_port": 5984,
"protocol_emulated": true,
"tags_summary": [
"INT-INFRA-couchdb-db",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Infra Couchdb Db",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-couchdb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/_all_dbs HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: applicatio",
"port": 5984,
"service": "couchdb",
"service_label_fr": "COUCHDB"
},
"attack_vector": "couchdb probe \u00b7 via COUCHDB:5984 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/_all_dbs HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: applicatio",
"target_port_label": "5984 \u00b7 COUCHDB",
"emulator_service": "couchdb",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "couchdb",
"service_banner": "honeypot-couchdb",
"service_os": "linux",
"dst_port": "5984"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"couchdb_emulated",
"couchdb_payload",
"couchdb_probe",
"couchdb_rest_probe",
"http_get_probe",
"mozi_pattern",
"net_couchdb_probe"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
7474 · NEO4J HTTP
|
neo4j-http
|
neo4j probe
neo4j probe · via NEO4J HTTP:7474 · (sonde / probe)
|
Élevée
|
Faible · 34
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
NEO4J-HTTP
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
mozi_pattern
neo4j_http_emulated
neo4j_http_payload
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
7474
Chemin / cible
—
Service
NEO4J HTTP
Payload
GET / HTTP/1.1 Host: 62.3.50.33:7474 User-Agent: Mozilla/5.0 (compatible; EchelonGraph-Verify/1.0) Accept: application/json,
Pourquoi cette classification : Type « neo4j_probe » (signaux protocolaires) · confiance 0%
Confiance classification
8%
Corrélation +8
Risque capteur
Faible
· 34
Confiance : Confiance 0 % — 5 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:7474
User-Agent: Mozilla/5.0 (compatible; EchelonGraph-Verify/1.0)
Accept: application/json,
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:7474 User-Agent: Mozilla/5.0 (compatible; EchelonGraph-Verify/1.0) Accept: application/json, text/plain, */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206e656f346a5f6874747020726561647920706f72743d373437340d0a",
"emulator_response_len": 41,
"bytes_in": 170,
"payload_entropy": 5.251266672433053,
"port_category": "registered",
"org": "Google LLC",
"service": "neo4j-http",
"app_proto": "neo4j-http",
"asn": 396982,
"country": "US",
"dst_port": 7474,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25
},
"risk_score": 34,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "998d5ac935ce497d2e50c5015154703e40e58cbe",
"event_fingerprint": "ffdd3fa787ef458447ff0cfdafc3f198ff9634ff",
"classification_reason": "Type \u00ab neo4j_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0.08,
"classification_confidence": 0.08,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 34,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "neo4j-http",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "fb045059ac0fca312eed610879891ad4",
"path_pattern_hash": "f73c9a0e87cbb3a4f1935c8231eef1b9"
},
"target_context": {
"dst_port": 7474,
"service": "neo4j-http",
"service_name": "neo4j-http",
"risk_score": 34
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json, ",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json, text\/plain, *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json, text\/plain, *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"classification_reason": "Type \u00ab neo4j_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5f04cf722e6f00cdc9d9325fbc53a5aeb9cef1c5",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"port": 7474,
"service": "neo4j-http",
"service_label_fr": "NEO4J HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"attack_vector": "neo4j probe \u00b7 via NEO4J HTTP:7474 \u00b7 (sonde \/ probe)",
"target_port_label": "7474 \u00b7 NEO4J HTTP",
"emulator_service": "neo4j-http",
"confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab neo4j_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab neo4j_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100",
"confidence_pct": 8,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 34,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 34,
"risk_label": "Faible",
"service_name": "neo4j-http",
"service_label_fr": "NEO4J HTTP",
"dst_port": 7474,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-neo4j-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"port": 7474,
"service": "neo4j-http",
"service_label_fr": "NEO4J HTTP"
},
"attack_vector": "neo4j probe \u00b7 via NEO4J HTTP:7474 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"target_port_label": "7474 \u00b7 NEO4J HTTP",
"emulator_service": "neo4j-http",
"confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "neo4j_http",
"service_banner": "honeypot-neo4j-http",
"service_os": "linux",
"dst_port": "7474"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"couchdb",
"http",
"neo4j-http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"mozi_pattern",
"neo4j_http_emulated",
"neo4j_http_payload",
"net_neo4j_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
7474 · NEO4J HTTP
|
neo4j-http
|
Sonde PostgreSQL
postgres probe · via NEO4J HTTP:7474 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
NEO4J-HTTP
WAF
—
Recommandation
Surveiller
Tags
neo4j_http_emulated
neo4j_http_payload
net_neo4j_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
7474
Chemin / cible
—
Service
NEO4J HTTP
Payload
�������������5_��͝-��b����@�� �}ϩ�|MB'��4 ϰ�o�>�%������d�wc�[J"iO�kG��>�����+�/�,�0̨̩� ��� �����������m� ������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������5_��͝-��b����@����}ϩ�|MB'��4 ϰ�o�>�%������d�wc�[J"iO�kG��>�����+�/�,�0̨̩� ���
�����������m�����������������
Requête brute (extrait)
�������������5_��͝-��b����@�� �}ϩ�|MB'��4 ϰ�o�>�%������d�wc�[J"iO�kG��>�����+�/�,�0̨̩� ��� �����������m� ��������������������������� � � ����������� �������������������������2��������������������������������� �h2�http/1.1�+��������3��������i���5������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206e656f346a5f6874747020726561647920706f72743d373437340d0a",
"emulator_response_len": 41,
"bytes_in": 1497,
"payload_entropy": 7.765792774768138,
"port_category": "registered",
"org": "Google LLC",
"service": "neo4j-http",
"app_proto": "neo4j-http",
"asn": 396982,
"country": "US",
"dst_port": 7474,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.9,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "974b8feb12e5244aad66dfdc819b5215a84d9b75",
"event_fingerprint": "ffdd3fa787ef458447ff0cfdafc3f198ff9634ff",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "neo4j-http",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "9360edee20e68409c4803a32f17ad341",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 7474,
"service": "neo4j-http",
"service_name": "neo4j-http",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd5_\ufffd\ufffd\u035d-\u0014\ufffdb\u0019\ufffd\u000e\ufffd@\ufffd\ufffd\f\ufffd}\u03e9\ufffd|MB'\ufffd\u00194 \u03f0\ufffdo\ufffd>\ufffd%\u0004\ufffd\ufffd\ufffd\u0011\ufffdd\ufffdwc\ufffd[J\"iO\ufffdkG\ufffd\ufffd>\ufffd\u001d\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005m\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd5_\ufffd\ufffd\u035d-\u0014\ufffdb\u0019\ufffd\u000e\ufffd@\ufffd\ufffd\f\ufffd}\u03e9\ufffd|MB'\ufffd\u00194 \u03f0\ufffdo\ufffd>\ufffd%\u0004\ufffd\ufffd\ufffd\u0011\ufffdd\ufffdwc\ufffd[J\"iO\ufffdkG\ufffd\ufffd>\ufffd\u001d\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005m\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffdi\u0011\ufffd\ufffd5\u001c\ufffd\ufffd\ufffd\ufffd\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd5_\ufffd\ufffd\u035d-\u0014\ufffdb\u0019\ufffd\u000e\ufffd@\ufffd\ufffd\f\ufffd}\u03e9\ufffd|MB'\ufffd\u00194 \u03f0\ufffdo\ufffd>\ufffd%\u0004\ufffd\ufffd\ufffd\u0011\ufffdd\ufffdwc\ufffd[J\"iO\ufffdkG\ufffd\ufffd>\ufffd\u001d\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005m\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a67c620e2fd8f30695ffcbb3300fb98023aec3e1",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd5_\ufffd\ufffd\u035d-\u0014\ufffdb\u0019\ufffd\u000e\ufffd@\ufffd\ufffd\f\ufffd}\u03e9\ufffd|MB'\ufffd\u00194 \u03f0\ufffdo\ufffd>\ufffd%\u0004\ufffd\ufffd\ufffd\u0011\ufffdd\ufffdwc\ufffd[J\"iO\ufffdkG\ufffd\ufffd>\ufffd\u001d\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005m\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 7474,
"service": "neo4j-http",
"service_label_fr": "NEO4J HTTP"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd5_\ufffd\ufffd\u035d-\ufffdb\ufffd\ufffd@\ufffd\ufffd\ufffd}\u03e9\ufffd|MB'\ufffd4 \u03f0\ufffdo\ufffd>\ufffd%\ufffd\ufffd\ufffd\ufffdd\ufffdwc\ufffd[J\"iO\ufffdkG\ufffd\ufffd>\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdm\ufffd",
"attack_vector": "postgres probe \u00b7 via NEO4J HTTP:7474 \u00b7 (sonde \/ probe)",
"target_port_label": "7474 \u00b7 NEO4J HTTP",
"emulator_service": "neo4j-http",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "neo4j-http",
"service_label_fr": "NEO4J HTTP",
"dst_port": 7474,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-neo4j-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd5_\ufffd\ufffd\u035d-\u0014\ufffdb\u0019\ufffd\u000e\ufffd@\ufffd\ufffd\f\ufffd}\u03e9\ufffd|MB'\ufffd\u00194 \u03f0\ufffdo\ufffd>\ufffd%\u0004\ufffd\ufffd\ufffd\u0011\ufffdd\ufffdwc\ufffd[J\"iO\ufffdkG\ufffd\ufffd>\ufffd\u001d\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005m\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 7474,
"service": "neo4j-http",
"service_label_fr": "NEO4J HTTP"
},
"attack_vector": "postgres probe \u00b7 via NEO4J HTTP:7474 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd5_\ufffd\ufffd\u035d-\ufffdb\ufffd\ufffd@\ufffd\ufffd\ufffd}\u03e9\ufffd|MB'\ufffd4 \u03f0\ufffdo\ufffd>\ufffd%\ufffd\ufffd\ufffd\ufffdd\ufffdwc\ufffd[J\"iO\ufffdkG\ufffd\ufffd>\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdm\ufffd",
"target_port_label": "7474 \u00b7 NEO4J HTTP",
"emulator_service": "neo4j-http",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "neo4j_http",
"service_banner": "honeypot-neo4j-http",
"service_os": "linux",
"dst_port": "7474"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"couchdb",
"http",
"neo4j-http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"neo4j_http_emulated",
"neo4j_http_payload",
"net_neo4j_probe",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5601 · HTTP
|
http
|
probe api
probe api · via HTTP:5601 · (sonde / probe) · → /api/status
|
Élevée
|
Moyen · 60
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
GET /api/status UA Mozilla/5.0 (compatible; EchelonGraph-Verify/1.0)
Émulateur
HTTP
WAF
23
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950600:k8s-api
Cible HTTP
GET
/api/status
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5601
Chemin / cible
/api/status
Pourquoi cette classification : Type « probe_api » (signaux protocolaires) · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Moyen
· 60
Confiance : Confiance 50 % — 4 tag(s) WAF
Protocole émulé
1
Signaux
Upstream
Waf Score
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET /api/status HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; EchelonGraph-Verify/1.0)
Règles WAF
rce-0
nosqli-3
k8s-api
Payload (extrait)
GET /api/status HTTP/1.1
Host: 62.3.50.33:5601
User-Agent: Mozilla/5.0 (compatible; EchelonGraph-Verify/1.0)
Accept: applicat
Requête brute (extrait)
GET /api/status HTTP/1.1 Host: 62.3.50.33:5601 User-Agent: Mozilla/5.0 (compatible; EchelonGraph-Verify/1.0) Accept: application/json, text/plain, */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a6b626e2d6e616d653a20686f6e6579706f742d6b6962616e610d0a6b626e2d76657273696f6e3a20382e31312e300d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2034340d0a0d0a7b2273746174757322",
"emulator_response_len": 163,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": null,
"http_ua_hash": "2f77999faa5826c892af6439e64dd84b922a9948",
"http_host_hash": "0e6e37a3aba52797339f42933431830756a0515c",
"http_target_hash": "7fbc29f027b400f6512972fd492109517e235ed4",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 180,
"payload_entropy": 5.202421641796314,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 5601,
"risk_waf": 100,
"risk_classification": 60,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.5,
"risk_breakdown": {
"waf": 100,
"classification": 60,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 60,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "59eb7b692d13ad334aed59d05b7e566aa16a5090",
"event_fingerprint": "250e2065f3e1c173372f05dd39ab0ee341825b3b",
"classification_reason": "Type \u00ab probe_api \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence": 0.58,
"classification_confidence": 0.58,
"precision_score": 55,
"precision_signals": [
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 60,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 60,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "7cd0386134a3ad0b8f62775338903fd3",
"payload_hash": "2cd25976534663feb502389a93fef9a5",
"path_pattern_hash": "0ea44bf547cfd3e93a42dabfc2f1808a"
},
"target_context": {
"dst_port": 5601,
"service": "http",
"service_name": "http",
"risk_score": 60
},
"payload_preview": "GET \/api\/status HTTP\/1.1\r\nHost: 62.3.50.33:5601\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: applicat",
"method": "GET",
"path": "\/api\/status",
"user_agent": "Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950600:k8s-api"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"k8s-api"
],
"request_line": "GET \/api\/status HTTP\/1.1",
"request_sample": "GET \/api\/status HTTP\/1.1\r\nHost: 62.3.50.33:5601\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json, text\/plain, *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/api\/status HTTP\/1.1\r\nHost: 62.3.50.33:5601\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: applicat",
"evidence": {
"method": "GET",
"path": "\/api\/status",
"user_agent": "Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950600:k8s-api"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"k8s-api"
],
"request_line": "GET \/api\/status HTTP\/1.1",
"request_sample": "GET \/api\/status HTTP\/1.1\r\nHost: 62.3.50.33:5601\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json, text\/plain, *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/api\/status HTTP\/1.1\r\nHost: 62.3.50.33:5601\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: applicat",
"classification_reason": "Type \u00ab probe_api \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "27780ae107f22359561e74984b8fb09d2d085897",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/status",
"request_line": "GET \/api\/status HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)",
"port": 5601,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/api\/status HTTP\/1.1\r\nHost: 62.3.50.33:5601\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: applicat",
"attack_vector": "probe api \u00b7 via HTTP:5601 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/api\/status",
"target_port_label": "5601 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab probe_api \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab probe_api \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 58 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 100,
"classification": 60,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 60,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 60,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 5601,
"protocol_emulated": true,
"tags_summary": [
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/status",
"request_line": "GET \/api\/status HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)",
"port": 5601,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "probe api \u00b7 via HTTP:5601 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/api\/status",
"evidence_snippet": "GET \/api\/status HTTP\/1.1\r\nHost: 62.3.50.33:5601\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: applicat",
"target_port_label": "5601 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "5601"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"couchdb",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950600:k8s-api",
"http_probe_api",
"net_web_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5984 · COUCHDB
|
couchdb
|
couchdb probe
couchdb probe · via COUCHDB:5984 · (sonde / probe)
|
Élevée
|
Faible · 34
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
COUCHDB
WAF
—
Recommandation
Surveiller
Tags
couchdb_emulated
couchdb_payload
http_get_probe
mozi_pattern
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5984
Chemin / cible
—
Service
COUCHDB
Payload
GET / HTTP/1.1 Host: 62.3.50.33:5984 User-Agent: Mozilla/5.0 (compatible; EchelonGraph-Verify/1.0) Accept: application/json,
Pourquoi cette classification : Type « couchdb_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 34
Confiance : Confiance 0 % — 5 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:5984
User-Agent: Mozilla/5.0 (compatible; EchelonGraph-Verify/1.0)
Accept: application/json,
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:5984 User-Agent: Mozilla/5.0 (compatible; EchelonGraph-Verify/1.0) Accept: application/json, text/plain, */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a20436f75636844422f332e332e33202845726c616e67204f5450290d0a582d436f75636844422d426f64792d54696d653a20300d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a20313534",
"emulator_response_len": 286,
"bytes_in": 170,
"payload_entropy": 5.258590863596797,
"port_category": "registered",
"org": "Google LLC",
"service": "couchdb",
"app_proto": "couchdb",
"asn": 396982,
"country": "US",
"dst_port": 5984,
"risk_waf": 8,
"risk_classification": 54,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 1.9,
"risk_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25
},
"risk_score": 34,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "cd4aa24d616b8c8c9fdc7b65c18cba1fa792652c",
"event_fingerprint": "ff7d4ab9a5d149e36f724b4980f53d45ea707dff",
"classification_reason": "Type \u00ab couchdb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 34
},
"named_classification_skipped": false,
"service_name": "couchdb",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "201f92be7833b6b75f23e7680697ba38",
"path_pattern_hash": "ce747dac2688338e030a6b5f71103175"
},
"target_context": {
"dst_port": 5984,
"service": "couchdb",
"service_name": "couchdb",
"risk_score": 34
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json, ",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json, text\/plain, *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json, text\/plain, *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"classification_reason": "Type \u00ab couchdb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "80e1620eda73645d357a102bdc2c995704495da8",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"port": 5984,
"service": "couchdb",
"service_label_fr": "COUCHDB"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"attack_vector": "couchdb probe \u00b7 via COUCHDB:5984 \u00b7 (sonde \/ probe)",
"target_port_label": "5984 \u00b7 COUCHDB",
"emulator_service": "couchdb",
"confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab couchdb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab couchdb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 34
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 34,
"risk_label": "Faible",
"service_name": "couchdb",
"service_label_fr": "COUCHDB",
"dst_port": 5984,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-couchdb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"port": 5984,
"service": "couchdb",
"service_label_fr": "COUCHDB"
},
"attack_vector": "couchdb probe \u00b7 via COUCHDB:5984 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"target_port_label": "5984 \u00b7 COUCHDB",
"emulator_service": "couchdb",
"confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "couchdb",
"service_banner": "honeypot-couchdb",
"service_os": "linux",
"dst_port": "5984"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"couchdb_emulated",
"couchdb_payload",
"http_get_probe",
"mozi_pattern",
"net_couchdb_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
7474 · NEO4J HTTP
|
neo4j-http
|
neo4j probe
neo4j probe · via NEO4J HTTP:7474 · (sonde / probe)
|
Élevée
|
Faible · 34
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
NEO4J-HTTP
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
mozi_pattern
neo4j_http_emulated
neo4j_http_payload
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
7474
Chemin / cible
—
Service
NEO4J HTTP
Payload
GET / HTTP/1.1 Host: 62.3.50.33:7474 User-Agent: Mozilla/5.0 (compatible; EchelonGraph-Verify/1.0) Accept: application/json,
Pourquoi cette classification : Type « neo4j_probe » (signaux protocolaires) · confiance 0%
Confiance classification
8%
Corrélation +8
Risque capteur
Faible
· 34
Confiance : Confiance 0 % — 5 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:7474
User-Agent: Mozilla/5.0 (compatible; EchelonGraph-Verify/1.0)
Accept: application/json,
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:7474 User-Agent: Mozilla/5.0 (compatible; EchelonGraph-Verify/1.0) Accept: application/json, text/plain, */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206e656f346a5f6874747020726561647920706f72743d373437340d0a",
"emulator_response_len": 41,
"bytes_in": 170,
"payload_entropy": 5.251266672433053,
"port_category": "registered",
"org": "Google LLC",
"service": "neo4j-http",
"app_proto": "neo4j-http",
"asn": 396982,
"country": "US",
"dst_port": 7474,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25
},
"risk_score": 34,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "998d5ac935ce497d2e50c5015154703e40e58cbe",
"event_fingerprint": "ffdd3fa787ef458447ff0cfdafc3f198ff9634ff",
"classification_reason": "Type \u00ab neo4j_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0.08,
"classification_confidence": 0.08,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 34,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "neo4j-http",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "fb045059ac0fca312eed610879891ad4",
"path_pattern_hash": "f73c9a0e87cbb3a4f1935c8231eef1b9"
},
"target_context": {
"dst_port": 7474,
"service": "neo4j-http",
"service_name": "neo4j-http",
"risk_score": 34
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json, ",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json, text\/plain, *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json, text\/plain, *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"classification_reason": "Type \u00ab neo4j_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5f04cf722e6f00cdc9d9325fbc53a5aeb9cef1c5",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"port": 7474,
"service": "neo4j-http",
"service_label_fr": "NEO4J HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"attack_vector": "neo4j probe \u00b7 via NEO4J HTTP:7474 \u00b7 (sonde \/ probe)",
"target_port_label": "7474 \u00b7 NEO4J HTTP",
"emulator_service": "neo4j-http",
"confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab neo4j_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab neo4j_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100",
"confidence_pct": 8,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 34,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 34,
"risk_label": "Faible",
"service_name": "neo4j-http",
"service_label_fr": "NEO4J HTTP",
"dst_port": 7474,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-neo4j-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"port": 7474,
"service": "neo4j-http",
"service_label_fr": "NEO4J HTTP"
},
"attack_vector": "neo4j probe \u00b7 via NEO4J HTTP:7474 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"target_port_label": "7474 \u00b7 NEO4J HTTP",
"emulator_service": "neo4j-http",
"confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "neo4j_http",
"service_banner": "honeypot-neo4j-http",
"service_os": "linux",
"dst_port": "7474"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"couchdb",
"neo4j-http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"mozi_pattern",
"neo4j_http_emulated",
"neo4j_http_payload",
"net_neo4j_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
7474 · NEO4J HTTP
|
neo4j-http
|
Sonde PostgreSQL
postgres probe · via NEO4J HTTP:7474 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
NEO4J-HTTP
WAF
—
Recommandation
Surveiller
Tags
neo4j_http_emulated
neo4j_http_payload
net_neo4j_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
7474
Chemin / cible
—
Service
NEO4J HTTP
Payload
�����������Z@��7@��o�� ]�t?��~� T�|,��)�i# =� �Ҳ�����/�M�%w��d���&lϮ��$����+�/�,�0̨̩� ��� �����������m� ������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������Z@��7@��o�� ]�t?��~� T�|,��)�i# =�
�Ҳ�����/�M�%w��d���&lϮ��$����+�/�,�0̨̩� ���
�����������m�����������������
Requête brute (extrait)
�����������Z@��7@��o�� ]�t?��~� T�|,��)�i# =� �Ҳ�����/�M�%w��d���&lϮ��$����+�/�,�0̨̩� ��� �����������m� ��������������������������� � � ����������� �������������������������2��������������������������������� �h2�http/1.1�+��������3���������"m�����$e�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206e656f346a5f6874747020726561647920706f72743d373437340d0a",
"emulator_response_len": 41,
"bytes_in": 1497,
"payload_entropy": 7.736484648990297,
"port_category": "registered",
"org": "Google LLC",
"service": "neo4j-http",
"app_proto": "neo4j-http",
"asn": 396982,
"country": "US",
"dst_port": 7474,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.9,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "974b8feb12e5244aad66dfdc819b5215a84d9b75",
"event_fingerprint": "ffdd3fa787ef458447ff0cfdafc3f198ff9634ff",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "neo4j-http",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "40a083bc1623aa8e42aa1789ca1e86c0",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 7474,
"service": "neo4j-http",
"service_name": "neo4j-http",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003Z@\ufffd\ufffd7@\ufffd\ufffdo\ufffd\ufffd\t]\ufffdt?\ufffd\ufffd~\ufffd T\ufffd|,\ufffd\ufffd)\ufffdi# =\ufffd\r\u0003\u04b2\ufffd\ufffd\ufffd\ufffd\ufffd\/\ufffdM\ufffd%w\u0006\ufffdd\ufffd\ufffd\ufffd&l\u03ee\ufffd\ufffd$\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005m\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003Z@\ufffd\ufffd7@\ufffd\ufffdo\ufffd\ufffd\t]\ufffdt?\ufffd\ufffd~\ufffd T\ufffd|,\ufffd\ufffd)\ufffdi# =\ufffd\r\u0003\u04b2\ufffd\ufffd\ufffd\ufffd\ufffd\/\ufffdM\ufffd%w\u0006\ufffdd\ufffd\ufffd\ufffd&l\u03ee\ufffd\ufffd$\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005m\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\u0010\"m\u001d\ufffd\u0006\ufffd\ufffd$e\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003Z@\ufffd\ufffd7@\ufffd\ufffdo\ufffd\ufffd\t]\ufffdt?\ufffd\ufffd~\ufffd T\ufffd|,\ufffd\ufffd)\ufffdi# =\ufffd\r\u0003\u04b2\ufffd\ufffd\ufffd\ufffd\ufffd\/\ufffdM\ufffd%w\u0006\ufffdd\ufffd\ufffd\ufffd&l\u03ee\ufffd\ufffd$\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005m\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7fac54a0a3887d26e58b2a67b2eb214d1ed0b661",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003Z@\ufffd\ufffd7@\ufffd\ufffdo\ufffd\ufffd\t]\ufffdt?\ufffd\ufffd~\ufffd T\ufffd|,\ufffd\ufffd)\ufffdi# =\ufffd\r\u0003\u04b2\ufffd\ufffd\ufffd\ufffd\ufffd\/\ufffdM\ufffd%w\u0006\ufffdd\ufffd\ufffd\ufffd&l\u03ee\ufffd\ufffd$\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005m\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 7474,
"service": "neo4j-http",
"service_label_fr": "NEO4J HTTP"
},
"evidence_snippet": "\ufffd\ufffdZ@\ufffd\ufffd7@\ufffd\ufffdo\ufffd\ufffd\t]\ufffdt?\ufffd\ufffd~\ufffd T\ufffd|,\ufffd\ufffd)\ufffdi# =\ufffd\r\u04b2\ufffd\ufffd\ufffd\ufffd\ufffd\/\ufffdM\ufffd%w\ufffdd\ufffd\ufffd\ufffd&l\u03ee\ufffd\ufffd$\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdm\ufffd",
"attack_vector": "postgres probe \u00b7 via NEO4J HTTP:7474 \u00b7 (sonde \/ probe)",
"target_port_label": "7474 \u00b7 NEO4J HTTP",
"emulator_service": "neo4j-http",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "neo4j-http",
"service_label_fr": "NEO4J HTTP",
"dst_port": 7474,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-neo4j-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003Z@\ufffd\ufffd7@\ufffd\ufffdo\ufffd\ufffd\t]\ufffdt?\ufffd\ufffd~\ufffd T\ufffd|,\ufffd\ufffd)\ufffdi# =\ufffd\r\u0003\u04b2\ufffd\ufffd\ufffd\ufffd\ufffd\/\ufffdM\ufffd%w\u0006\ufffdd\ufffd\ufffd\ufffd&l\u03ee\ufffd\ufffd$\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005m\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 7474,
"service": "neo4j-http",
"service_label_fr": "NEO4J HTTP"
},
"attack_vector": "postgres probe \u00b7 via NEO4J HTTP:7474 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdZ@\ufffd\ufffd7@\ufffd\ufffdo\ufffd\ufffd\t]\ufffdt?\ufffd\ufffd~\ufffd T\ufffd|,\ufffd\ufffd)\ufffdi# =\ufffd\r\u04b2\ufffd\ufffd\ufffd\ufffd\ufffd\/\ufffdM\ufffd%w\ufffdd\ufffd\ufffd\ufffd&l\u03ee\ufffd\ufffd$\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdm\ufffd",
"target_port_label": "7474 \u00b7 NEO4J HTTP",
"emulator_service": "neo4j-http",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "neo4j_http",
"service_banner": "honeypot-neo4j-http",
"service_os": "linux",
"dst_port": "7474"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"couchdb",
"neo4j-http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"neo4j_http_emulated",
"neo4j_http_payload",
"net_neo4j_probe",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5984 · COUCHDB
|
couchdb
|
couchdb probe
couchdb probe · via COUCHDB:5984 · (sonde / probe)
|
Élevée
|
Faible · 34
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
COUCHDB
WAF
—
Recommandation
Surveiller
Tags
couchdb_emulated
couchdb_payload
http_get_probe
mozi_pattern
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5984
Chemin / cible
—
Service
COUCHDB
Payload
GET / HTTP/1.1 Host: 62.3.50.33:5984 User-Agent: Mozilla/5.0 (compatible; EchelonGraph-Verify/1.0) Accept: application/json,
Pourquoi cette classification : Type « couchdb_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 34
Confiance : Confiance 0 % — 5 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:5984
User-Agent: Mozilla/5.0 (compatible; EchelonGraph-Verify/1.0)
Accept: application/json,
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:5984 User-Agent: Mozilla/5.0 (compatible; EchelonGraph-Verify/1.0) Accept: application/json, text/plain, */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a20436f75636844422f332e332e33202845726c616e67204f5450290d0a582d436f75636844422d426f64792d54696d653a20300d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a20313534",
"emulator_response_len": 286,
"bytes_in": 170,
"payload_entropy": 5.258590863596797,
"port_category": "registered",
"org": "Google LLC",
"service": "couchdb",
"app_proto": "couchdb",
"asn": 396982,
"country": "US",
"dst_port": 5984,
"risk_waf": 8,
"risk_classification": 54,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 1.9,
"risk_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25
},
"risk_score": 34,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "cd4aa24d616b8c8c9fdc7b65c18cba1fa792652c",
"event_fingerprint": "ff7d4ab9a5d149e36f724b4980f53d45ea707dff",
"classification_reason": "Type \u00ab couchdb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 34
},
"named_classification_skipped": false,
"service_name": "couchdb",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "201f92be7833b6b75f23e7680697ba38",
"path_pattern_hash": "ce747dac2688338e030a6b5f71103175"
},
"target_context": {
"dst_port": 5984,
"service": "couchdb",
"service_name": "couchdb",
"risk_score": 34
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json, ",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json, text\/plain, *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json, text\/plain, *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"classification_reason": "Type \u00ab couchdb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "80e1620eda73645d357a102bdc2c995704495da8",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"port": 5984,
"service": "couchdb",
"service_label_fr": "COUCHDB"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"attack_vector": "couchdb probe \u00b7 via COUCHDB:5984 \u00b7 (sonde \/ probe)",
"target_port_label": "5984 \u00b7 COUCHDB",
"emulator_service": "couchdb",
"confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab couchdb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab couchdb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 34
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 34,
"risk_label": "Faible",
"service_name": "couchdb",
"service_label_fr": "COUCHDB",
"dst_port": 5984,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-couchdb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"port": 5984,
"service": "couchdb",
"service_label_fr": "COUCHDB"
},
"attack_vector": "couchdb probe \u00b7 via COUCHDB:5984 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5984\r\nUser-Agent: Mozilla\/5.0 (compatible; EchelonGraph-Verify\/1.0)\r\nAccept: application\/json,",
"target_port_label": "5984 \u00b7 COUCHDB",
"emulator_service": "couchdb",
"confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "couchdb",
"service_banner": "honeypot-couchdb",
"service_os": "linux",
"dst_port": "5984"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"couchdb_emulated",
"couchdb_payload",
"http_get_probe",
"mozi_pattern",
"net_couchdb_probe"
],
"asn_dc_heuristic": true
}
|