15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /.git/config
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /.git/config UA Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040614 …
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
pat-0198
Upstream
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
Probe /.git/config
Ligne de requête
GET /.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040614 Firefox/0.8
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040614 Fir
Requête brute (extrait)
GET /.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040614 Firefox/0.8 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "git\/config",
"http_ua_hash": "ea88c02b135d472772ab0b545cce2bda4b435f1c",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "e2f253eab0d0cf5422d24d22ae2a4954398768df",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 205,
"payload_entropy": 5.290112923165334,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "b9609a3018172d42880abe86b456b48e63116074",
"event_fingerprint": "0e48f7a21255baa40dca16c938a250b566009d55",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 270,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0198",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0198",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0198"
],
"matched_pattern_names": [
"Probe \/.git\/config"
],
"pattern_ids": [
"pat-0198"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "0f05db919617121c5aabfed71e90d70d",
"payload_hash": "059d3487e5d807faf8829855c0d71e7c",
"path_pattern_hash": "3ec26e4f0817b37785cd5e68fed88892"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko\/20040614 Fir",
"method": "GET",
"path": "\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko\/20040614 Firefox\/0.8",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/.git\/config HTTP\/1.1",
"request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko\/20040614 Firefox\/0.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko\/20040614 Fir",
"evidence": {
"method": "GET",
"path": "\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko\/20040614 Firefox\/0.8",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/.git\/config HTTP\/1.1",
"request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko\/20040614 Firefox\/0.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko\/20040614 Fir",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "25a6297fd41698d2112f183b9dba497197281c9d",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.git\/config",
"request_line": "GET \/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko\/20040614 Firefox\/0.8",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko\/20040614 Fir",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0198",
"INT-upstream"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"pat-0198",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.git\/config",
"request_line": "GET \/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko\/20040614 Firefox\/0.8",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.git\/config",
"evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko\/20040614 Fir",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_git",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /backend/.git/config
Élevée
Élevé · 66
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /backend/.git/config UA Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120502 Firefox/1…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/backend/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/backend/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 66
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /backend/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120502 Firefox/12.0 SeaMonkey/2.9.1
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /backend/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120502 Fire
Requête brute (extrait)
GET /backend/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120502 Firefox/12.0 SeaMonkey/2.9.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "329b57f0c63ff8aaabab5a13dd83c43ae717d24a",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "2482ac6c987d570b89dfba6cfee3dc3ac194789d",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 221,
"payload_entropy": 5.299111853271062,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 66,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "f293b8f0ca5b32c21e232c166a3b554b9c9997bf",
"event_fingerprint": "85ebafbb945dfc8d0e7d204ac533d7e1c289adeb",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "e1bbf2fdbf5a204510f8f30f34e5c41d",
"payload_hash": "13d9f51ffa32ed8fdba6c6f3b69ec0e9",
"path_pattern_hash": "2de751ea5a34e7a22b69004dc29faa62"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 66
},
"payload_preview": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Fire",
"method": "GET",
"path": "\/backend\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Firefox\/12.0 SeaMonkey\/2.9.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/backend\/.git\/config HTTP\/1.1",
"request_sample": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Firefox\/12.0 SeaMonkey\/2.9.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Fire",
"evidence": {
"method": "GET",
"path": "\/backend\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Firefox\/12.0 SeaMonkey\/2.9.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/backend\/.git\/config HTTP\/1.1",
"request_sample": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Firefox\/12.0 SeaMonkey\/2.9.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Fire",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2876ccbb6d529d087ba8c63d606dd4dd4ac8f45f",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/.git\/config",
"request_line": "GET \/backend\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Firefox\/12.0 SeaMonkey\/2.9.1",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Fire",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 66,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/.git\/config",
"request_line": "GET \/backend\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Firefox\/12.0 SeaMonkey\/2.9.1",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.git\/config",
"evidence_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Fire",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /src/.git/config
Élevée
Élevé · 66
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /src/.git/config UA Mozilla/5.0 (Linux; Android 4.2.2; WX10K) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/src/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/src/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 66
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /src/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 4.2.2; WX10K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.99 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /src/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; WX10K) AppleWebKit/537.36 (
Requête brute (extrait)
GET /src/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; WX10K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.99 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "ffd896806011214c0d7d768003862a1c33794a95",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "46e050e820087702ef14a381ebad48881db62e31",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 256,
"payload_entropy": 5.416914204099184,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 66,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "f293b8f0ca5b32c21e232c166a3b554b9c9997bf",
"event_fingerprint": "4007f48948366c36272c34dc8439be60c73fd0ef",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "8ad1486b6dfdef2c081df31d9864716f",
"payload_hash": "95a388644a64a856d235352f456e35ec",
"path_pattern_hash": "83762003e224a5603ed7ad8ff32c59fc"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 66
},
"payload_preview": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.2.2; WX10K) AppleWebKit\/537.36 (",
"method": "GET",
"path": "\/src\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 4.2.2; WX10K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/src\/.git\/config HTTP\/1.1",
"request_sample": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.2.2; WX10K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.2.2; WX10K) AppleWebKit\/537.36 (",
"evidence": {
"method": "GET",
"path": "\/src\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 4.2.2; WX10K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/src\/.git\/config HTTP\/1.1",
"request_sample": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.2.2; WX10K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.2.2; WX10K) AppleWebKit\/537.36 (",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "90c7ff6780666fe94b24b1714058ca6a9cbd0dbb",
"protocol_details": {
"http_method": "GET",
"http_path": "\/src\/.git\/config",
"request_line": "GET \/src\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 4.2.2; WX10K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.\u2026",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.2.2; WX10K) AppleWebKit\/537.36 (",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 66,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/src\/.git\/config",
"request_line": "GET \/src\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 4.2.2; WX10K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.\u2026",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/.git\/config",
"evidence_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.2.2; WX10K) AppleWebKit\/537.36 (",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /html/.git/config
Élevée
Élevé · 66
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /html/.git/config UA Mozilla/5.0 (Linux; Android 7.0; PRA-LX1 Build/HUAWEIPRA-LX1) A…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/html/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/html/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 66
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /html/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 7.0; PRA-LX1 Build/HUAWEIPRA-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.91 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /html/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (Linux; Android 7.0; PRA-LX1 Build/HUAWEIPRA-LX1)
Requête brute (extrait)
GET /html/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (Linux; Android 7.0; PRA-LX1 Build/HUAWEIPRA-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.91 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "942f895bfa8fcae202e82f3c021e5feda394a90b",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "ed148acba970ce3061829b4dd97608d1a6997773",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 277,
"payload_entropy": 5.508083006852533,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 66,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "f293b8f0ca5b32c21e232c166a3b554b9c9997bf",
"event_fingerprint": "3e16e634d8efb575f4b9523dc8195514f4b04031",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a811f0c560a5a9143d74c74ca2c02bbb",
"payload_hash": "123daae778ea4c5ed96f0e1ea5db9315",
"path_pattern_hash": "985e825857a4aae20b7bcc62b05870c4"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 66
},
"payload_preview": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; PRA-LX1 Build\/HUAWEIPRA-LX1)",
"method": "GET",
"path": "\/html\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 7.0; PRA-LX1 Build\/HUAWEIPRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.91 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/html\/.git\/config HTTP\/1.1",
"request_sample": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; PRA-LX1 Build\/HUAWEIPRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.91 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\n",
"payload_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; PRA-LX1 Build\/HUAWEIPRA-LX1)",
"evidence": {
"method": "GET",
"path": "\/html\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 7.0; PRA-LX1 Build\/HUAWEIPRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.91 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/html\/.git\/config HTTP\/1.1",
"request_sample": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; PRA-LX1 Build\/HUAWEIPRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.91 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\n",
"payload_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; PRA-LX1 Build\/HUAWEIPRA-LX1)",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "937d270f3c1aae5db495351bfd631c64429e05cd",
"protocol_details": {
"http_method": "GET",
"http_path": "\/html\/.git\/config",
"request_line": "GET \/html\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; PRA-LX1 Build\/HUAWEIPRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.9\u2026",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; PRA-LX1 Build\/HUAWEIPRA-LX1)",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/html\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 66,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/html\/.git\/config",
"request_line": "GET \/html\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; PRA-LX1 Build\/HUAWEIPRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.9\u2026",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/html\/.git\/config",
"evidence_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; PRA-LX1 Build\/HUAWEIPRA-LX1)",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /public/.git/config
Élevée
Élevé · 66
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /public/.git/config UA Mozilla/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit/537.36…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/public/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/public/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 66
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /public/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /public/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit/53
Requête brute (extrait)
GET /public/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "78b5ce573f8bf720549aba6289877bc57c1ff5e2",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "8257582ae447b9a2124e0414764cac0aac8808de",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 263,
"payload_entropy": 5.4045228296182035,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 66,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "f293b8f0ca5b32c21e232c166a3b554b9c9997bf",
"event_fingerprint": "0167a74b3c7dac249b685a9839c45cb313a2b56e",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "912d30cca638bf5acc269d96a2dbe209",
"payload_hash": "e8b2d200563ca3eff705765e6f475f8c",
"path_pattern_hash": "78b85c05b86f9869fecb7907511b414c"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 66
},
"payload_preview": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/53",
"method": "GET",
"path": "\/public\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/public\/.git\/config HTTP\/1.1",
"request_sample": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl",
"payload_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/53",
"evidence": {
"method": "GET",
"path": "\/public\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/public\/.git\/config HTTP\/1.1",
"request_sample": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl",
"payload_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/53",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "cd0df9876575b3fae701a239c8c2f874c1bbae3c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/public\/.git\/config",
"request_line": "GET \/public\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/53",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/public\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 66,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/public\/.git\/config",
"request_line": "GET \/public\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/public\/.git\/config",
"evidence_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/53",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /api/.git/config
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /api/.git/config UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, …
Émulateur
HTTP
WAF
31
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/api/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/api/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /api/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
k8s-api
Payload (extrait)
GET /api/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
Requête brute (extrait)
GET /api/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "30debfe1f999186751af2ebc80d855016141ec0b",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "4d60538c38eae0fe13cbc99a2ea3645cbb337669",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 243,
"payload_entropy": 5.389344669037943,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "db2e69f6b8b04e5945a26655062ef42affdebcbf",
"event_fingerprint": "cf5693fa0213aa246c903ffb6a133624db917fc9",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "eea04be78dce61df226b6b0cade53f2b",
"payload_hash": "03e0c24e1ad2df41af2525d77ea87ab6",
"path_pattern_hash": "3ed56f63a5d3aef03e8853abb49b3eea"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,",
"method": "GET",
"path": "\/api\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"950600:k8s-api"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0",
"k8s-api"
],
"request_line": "GET \/api\/.git\/config HTTP\/1.1",
"request_sample": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,",
"evidence": {
"method": "GET",
"path": "\/api\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"950600:k8s-api"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0",
"k8s-api"
],
"request_line": "GET \/api\/.git\/config HTTP\/1.1",
"request_sample": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "32dd2f065baf848d4cedf22196714aae8962a8a7",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.git\/config",
"request_line": "GET \/api\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.git\/config",
"request_line": "GET \/api\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.git\/config",
"evidence_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"950600:k8s-api",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_api",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /frontend/.git/config
Élevée
Élevé · 66
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /frontend/.git/config UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/frontend/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/frontend/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 66
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /frontend/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /frontend/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.
Requête brute (extrait)
GET /frontend/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "252b93efa155a5637c584f729eef797ba6dba612",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "79637aca3de7d81f8030ec893ab364d04845083c",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 254,
"payload_entropy": 5.392392539147475,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 66,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "f293b8f0ca5b32c21e232c166a3b554b9c9997bf",
"event_fingerprint": "c499f44a2bbe39c729321a28307efb32c285460a",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "1e6b2a724d1ae943a7a06e4531665258",
"payload_hash": "d19ddcc64da36635267ce1aacfd25218",
"path_pattern_hash": "916bc8abf1fa018cce797ab5bdb418f0"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 66
},
"payload_preview": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.",
"method": "GET",
"path": "\/frontend\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/frontend\/.git\/config HTTP\/1.1",
"request_sample": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.",
"evidence": {
"method": "GET",
"path": "\/frontend\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/frontend\/.git\/config HTTP\/1.1",
"request_sample": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4f984a9c11a7e693803935675b6b63d040f88176",
"protocol_details": {
"http_method": "GET",
"http_path": "\/frontend\/.git\/config",
"request_line": "GET \/frontend\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 66,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/frontend\/.git\/config",
"request_line": "GET \/frontend\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.git\/config",
"evidence_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /assets/.git/config
Élevée
Moyen · 64
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /assets/.git/config UA Mozilla/4.8 [en] (X11; U; SunOS; 5.7 sun4u)
Émulateur
HTTP
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950513:leak-0
http_backup_file_scan
Cible HTTP
GET
/assets/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/assets/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 64
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /assets/.git/config HTTP/1.1
User-Agent
Mozilla/4.8 [en] (X11; U; SunOS; 5.7 sun4u)
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /assets/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/4.8 [en] (X11; U; SunOS; 5.7 sun4u)
Accept-Charset
Requête brute (extrait)
GET /assets/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/4.8 [en] (X11; U; SunOS; 5.7 sun4u) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "53ef54d76f30eef1516d89df56f88387e6379041",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "e81ca9a0554d6690b053d3acc558b05833b1c696",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 181,
"payload_entropy": 5.251905795494504,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 92,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 64,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "963b08ec518ba598fcaf25c6022059b303700d4f",
"event_fingerprint": "8f1c2ba93b410d3909a610e23c36a833717cc888",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 64,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "4a7b0650ea5c045432d9872e6e4ca6ac",
"payload_hash": "87ad137f874815fc7787ff3d6a2239c0",
"path_pattern_hash": "70c13b709566f458c71892575aa001e0"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 64
},
"payload_preview": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)\r\nAccept-Charset",
"method": "GET",
"path": "\/assets\/.git\/config",
"user_agent": "Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/assets\/.git\/config HTTP\/1.1",
"request_sample": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)\r\nAccept-Charset",
"evidence": {
"method": "GET",
"path": "\/assets\/.git\/config",
"user_agent": "Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/assets\/.git\/config HTTP\/1.1",
"request_sample": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)\r\nAccept-Charset",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8c71fc7fe970d62fdc52f804b26f48001eb6f926",
"protocol_details": {
"http_method": "GET",
"http_path": "\/assets\/.git\/config",
"request_line": "GET \/assets\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)\r\nAccept-Charset",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/assets\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 64,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 64,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/assets\/.git\/config",
"request_line": "GET \/assets\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/assets\/.git\/config",
"evidence_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)\r\nAccept-Charset",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_assets",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /static/.git/config
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /static/.git/config UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/static/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/static/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /static/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /static/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit
Requête brute (extrait)
GET /static/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "adeb4337ed9be574ee9228c31215cf29ec8f78ad",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "521a53c26ae63c9f634cf4a8753a3e9a31c14380",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 258,
"payload_entropy": 5.372550134076255,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "842b1876629985dfe851b435093ff7cd3e17584c",
"event_fingerprint": "1fff17961a35c13268d080d80e12af251e2c9e32",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "970e1ddff0ca7ba19c10194c144c7adc",
"payload_hash": "8bbbb6b66c83ecb9a1c5fe9869fbb47a",
"path_pattern_hash": "8991b5397bf20ed66988d72bf753894a"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"method": "GET",
"path": "\/static\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/static\/.git\/config HTTP\/1.1",
"request_sample": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n",
"payload_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"evidence": {
"method": "GET",
"path": "\/static\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/static\/.git\/config HTTP\/1.1",
"request_sample": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n",
"payload_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "26b912264328252cd6d77f17a4d64a4c72b1d706",
"protocol_details": {
"http_method": "GET",
"http_path": "\/static\/.git\/config",
"request_line": "GET \/static\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/static\/.git\/config",
"request_line": "GET \/static\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/.git\/config",
"evidence_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_static",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /build/.git/config
Élevée
Élevé · 66
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /build/.git/config UA Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/build/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/build/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 66
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /build/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.2.1
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /build/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Fire
Requête brute (extrait)
GET /build/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.2.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "10c31b7aa3b04a8cf74e2365ca5371ba60f79588",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "6aeebdefc1a7f3903e2f068a42149eb080915c7b",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 222,
"payload_entropy": 5.323806437603367,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 66,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "f293b8f0ca5b32c21e232c166a3b554b9c9997bf",
"event_fingerprint": "d3d14173f8c456ec8f14c3aff9bb6c7b7010fc3a",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "15c8e8e411bb4d263e2ad0a0167c4942",
"payload_hash": "e4921f419e5bfdd7c64a36bb95fe23fb",
"path_pattern_hash": "203627ae3f02d834b42dc778d4676888"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 66
},
"payload_preview": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Fire",
"method": "GET",
"path": "\/build\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firefox\/38.0 Iceweasel\/38.2.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/build\/.git\/config HTTP\/1.1",
"request_sample": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firefox\/38.0 Iceweasel\/38.2.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Fire",
"evidence": {
"method": "GET",
"path": "\/build\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firefox\/38.0 Iceweasel\/38.2.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/build\/.git\/config HTTP\/1.1",
"request_sample": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firefox\/38.0 Iceweasel\/38.2.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Fire",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "47bac8daf98f711e16aa51e09bc4c49f5f7aa99b",
"protocol_details": {
"http_method": "GET",
"http_path": "\/build\/.git\/config",
"request_line": "GET \/build\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firefox\/38.0 Iceweasel\/38.2.1",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Fire",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/build\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 66,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/build\/.git\/config",
"request_line": "GET \/build\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firefox\/38.0 Iceweasel\/38.2.1",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/build\/.git\/config",
"evidence_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Fire",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /admin/.git/config
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /admin/.git/config UA Mozilla/5.0 (Linux; Android 9; PH-1) AppleWebKit/537.36 (KHTML,…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/admin/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/admin/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
ET Magento admin
ES admin GET
ActiveMQ console
Ligne de requête
GET /admin/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; PH-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /admin/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (Linux; Android 9; PH-1) AppleWebKit/537.36 (KHT
Requête brute (extrait)
GET /admin/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (Linux; Android 9; PH-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "6383d57b72cd2e226c297a4d17132164a10944c1",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "0d4fda54689ca91aa1cd9ce83cd7fe814ab26468",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 254,
"payload_entropy": 5.384644052959612,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 10,
"anomaly_count": 0,
"campaign_key": "79051122f6605c381061818a40182eec0b44a5d7",
"event_fingerprint": "182ce00014a82ea5d7c26592dea53806559c1022",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0854",
"pat-0341",
"pat-0606"
],
"matched_pattern_names": [
"ET Magento admin",
"ES admin GET",
"ActiveMQ console"
],
"pattern_ids": [
"pat-0854",
"pat-0341",
"pat-0606"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "6dd90fdc6e31cb7cc3fd41d7e7cb6773",
"payload_hash": "4ffc14a6a4c7cf047000edda5e119f38",
"path_pattern_hash": "b0ac58c50c927a70e841faaa3da36222"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (KHT",
"method": "GET",
"path": "\/admin\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/admin\/.git\/config HTTP\/1.1",
"request_sample": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (KHT",
"evidence": {
"method": "GET",
"path": "\/admin\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/admin\/.git\/config HTTP\/1.1",
"request_sample": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (KHT",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1befb9ec97ae51bbf06e056a3e54068eb3cb3da7",
"protocol_details": {
"http_method": "GET",
"http_path": "\/admin\/.git\/config",
"request_line": "GET \/admin\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (KHT",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/admin\/.git\/config",
"request_line": "GET \/admin\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.git\/config",
"evidence_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; PH-1) AppleWebKit\/537.36 (KHT",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_admin_panel_probe",
"http_admin_panel_scan",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_admin",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /site/.git/config
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /site/.git/config UA Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaC7-00/012.003; Profil…
Émulateur
HTTP
WAF
35
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/site/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/site/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /site/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaC7-00/012.003; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.3 3gpp-gba
Règles WAF
lfi-14
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /site/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaC7-00/012.003; Prof
Requête brute (extrait)
GET /site/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaC7-00/012.003; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.3 3gpp-gba Accept-Charset
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "6cfd166b61723c480885efd5126981ceeeffd077",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "99d75e39037b11054e155a03133c80282ea1c965",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 309,
"payload_entropy": 5.412104284366662,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "b1b8c92d9a9e1a9387f4fa44856c9513f35c38d1",
"event_fingerprint": "9ccfa7b7903a5b9670042454d0ed90d8cfd2c54d",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "72246318dea41b245028a7a4036a07b7",
"payload_hash": "1c78f8b9ccf7794451697351ca54c183",
"path_pattern_hash": "6901c63c2daa99b93d9d7c027371b852"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC7-00\/012.003; Prof",
"method": "GET",
"path": "\/site\/.git\/config",
"user_agent": "Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC7-00\/012.003; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.3 3gpp-gba",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/site\/.git\/config HTTP\/1.1",
"request_sample": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC7-00\/012.003; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.3 3gpp-gba\r\nAccept-Charset",
"payload_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC7-00\/012.003; Prof",
"evidence": {
"method": "GET",
"path": "\/site\/.git\/config",
"user_agent": "Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC7-00\/012.003; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.3 3gpp-gba",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/site\/.git\/config HTTP\/1.1",
"request_sample": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC7-00\/012.003; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.3 3gpp-gba\r\nAccept-Charset",
"payload_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC7-00\/012.003; Prof",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2e2528c7493850af44ce75cfe83a82cd2393ebfd",
"protocol_details": {
"http_method": "GET",
"http_path": "\/site\/.git\/config",
"request_line": "GET \/site\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC7-00\/012.003; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHT\u2026",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC7-00\/012.003; Prof",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/site\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/site\/.git\/config",
"request_line": "GET \/site\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC7-00\/012.003; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHT\u2026",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/site\/.git\/config",
"evidence_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC7-00\/012.003; Prof",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /v1/.git/config
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /v1/.git/config UA Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/531…
Émulateur
HTTP
WAF
35
Recommandation
Investiguer
Tags
950316:lfi-14
950326:rce-0
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/v1/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/v1/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /v1/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Règles WAF
lfi-14
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /v1/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/531
Requête brute (extrait)
GET /v1/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "7ab0c686ff75fae6677ed1a1adec1cc0ee7d5e4c",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "852e68c3e2549d34d36a9b5a3605571990e68c97",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 253,
"payload_entropy": 5.359643834769622,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "59994eed54168eafba5ba44522a9d8c2d853dcb8",
"event_fingerprint": "d35458130142edb98d3ec2c4da7479e665ba8134",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f4117fc4a3c2ed7cb3cda2bdad942e46",
"payload_hash": "f8cc4bbe649c03b3c290b1fff47327f9",
"path_pattern_hash": "0efea7c22b821f254abb056b9239c5c5"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit\/531",
"method": "GET",
"path": "\/v1\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit\/531.21.8 (KHTML, like Gecko) Version\/4.0.4 Safari\/531.21.10",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/v1\/.git\/config HTTP\/1.1",
"request_sample": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit\/531.21.8 (KHTML, like Gecko) Version\/4.0.4 Safari\/531.21.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit\/531",
"evidence": {
"method": "GET",
"path": "\/v1\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit\/531.21.8 (KHTML, like Gecko) Version\/4.0.4 Safari\/531.21.10",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/v1\/.git\/config HTTP\/1.1",
"request_sample": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit\/531.21.8 (KHTML, like Gecko) Version\/4.0.4 Safari\/531.21.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit\/531",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0ab8ae1828491a688eef06e125f7d17d4f3b6698",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v1\/.git\/config",
"request_line": "GET \/v1\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit\/531.21.8 (KHTML, like Gecko) Version\/4.0.4 Safari\/531.21.10",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit\/531",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v1\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v1\/.git\/config",
"request_line": "GET \/v1\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit\/531.21.8 (KHTML, like Gecko) Version\/4.0.4 Safari\/531.21.10",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v1\/.git\/config",
"evidence_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit\/531",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /v3/.git/config
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /v3/.git/config UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, …
Émulateur
HTTP
WAF
35
Recommandation
Investiguer
Tags
950316:lfi-14
950326:rce-0
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/v3/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/v3/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /v3/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3947.100 Safari/537.36
Règles WAF
lfi-14
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /v3/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
Requête brute (extrait)
GET /v3/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3947.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "592d941ab35990a767abedd3f5d5a36f7488c908",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "4bf76a52a29633f52f17f2cac5ee4daa8e021adb",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 243,
"payload_entropy": 5.427622875891875,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "59994eed54168eafba5ba44522a9d8c2d853dcb8",
"event_fingerprint": "d14149f7548860e2e44d5e7303d04168f008f702",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "7be7045c484139edb587d31ba0fbdbff",
"payload_hash": "b9d930b2389b1a4d75ebe54beedeaa75",
"path_pattern_hash": "4562786c79a4c5f0790c3581071f5847"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, ",
"method": "GET",
"path": "\/v3\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3947.100 Safari\/537.36",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/v3\/.git\/config HTTP\/1.1",
"request_sample": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3947.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,",
"evidence": {
"method": "GET",
"path": "\/v3\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3947.100 Safari\/537.36",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/v3\/.git\/config HTTP\/1.1",
"request_sample": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3947.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e3c237567668af0af7c7075d2c4cb6b0939c3309",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v3\/.git\/config",
"request_line": "GET \/v3\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3947.100 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v3\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v3\/.git\/config",
"request_line": "GET \/v3\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3947.100 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v3\/.git\/config",
"evidence_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /web/.git/config
Élevée
Moyen · 62
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /web/.git/config UA BlackBerry9530/4.7.0.167 Profile/MIDP-2.0 Configuration/CLDC-1.…
Émulateur
HTTP
WAF
20
Recommandation
Investiguer
Tags
950468:nosqli-3
950470:nosqli-3
950513:leak-0
http_backup_file_scan
Cible HTTP
GET
/web/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/web/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 62
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /web/.git/config HTTP/1.1
User-Agent
BlackBerry9530/4.7.0.167 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/102 UP.Link/6.3.1.20.0
Règles WAF
nosqli-3
leak-0
Payload (extrait)
GET /web/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: BlackBerry9530/4.7.0.167 Profile/MIDP-2.0 Configuration/CLDC-1
Requête brute (extrait)
GET /web/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: BlackBerry9530/4.7.0.167 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/102 UP.Link/6.3.1.20.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "032aa236fb47322552122ab3c77885024df9b4f5",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "f32c2ab0d87a20f2415a1cf44997c48739d87917",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 231,
"payload_entropy": 5.305911573060365,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 88,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 62,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "cd53a447cf8aaff8e2cb30b85e13e544802b970a",
"event_fingerprint": "0719e0eb5a87a99d8e09060f8d88d15ab6ab5ddf",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 62,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "0ebdb23e08a31acbd893000f0c621490",
"payload_hash": "726022b35260d320986bcaaf8071490c",
"path_pattern_hash": "2be87edfa036da6580e700b188114b92"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 62
},
"payload_preview": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1",
"method": "GET",
"path": "\/web\/.git\/config",
"user_agent": "BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/102 UP.Link\/6.3.1.20.0",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"nosqli-3",
"leak-0"
],
"request_line": "GET \/web\/.git\/config HTTP\/1.1",
"request_sample": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/102 UP.Link\/6.3.1.20.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1",
"evidence": {
"method": "GET",
"path": "\/web\/.git\/config",
"user_agent": "BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/102 UP.Link\/6.3.1.20.0",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"nosqli-3",
"leak-0"
],
"request_line": "GET \/web\/.git\/config HTTP\/1.1",
"request_sample": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/102 UP.Link\/6.3.1.20.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f0e2823f52a34365b8ed1d7809058ac61cb319b9",
"protocol_details": {
"http_method": "GET",
"http_path": "\/web\/.git\/config",
"request_line": "GET \/web\/.git\/config HTTP\/1.1",
"http_user_agent": "BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/102 UP.Link\/6.3.1.20.0",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 62,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 62,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/web\/.git\/config",
"request_line": "GET \/web\/.git\/config HTTP\/1.1",
"http_user_agent": "BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/102 UP.Link\/6.3.1.20.0",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web\/.git\/config",
"evidence_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 88 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /htdocs/.git/config
Élevée
Élevé · 66
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /htdocs/.git/config UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/htdocs/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/htdocs/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 66
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /htdocs/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /htdocs/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
Requête brute (extrait)
GET /htdocs/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "2be45be822a0113cf3e9179d7148a66947b7d527",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "91751256d60394a8b0340bb86ad1a8313b8dadfa",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 252,
"payload_entropy": 5.414406594929242,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 66,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "f293b8f0ca5b32c21e232c166a3b554b9c9997bf",
"event_fingerprint": "c48fddf24d796e64ff61a4349577bed860e0d05c",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "8a11a34e9c12e87c61c23a0d679ff58e",
"payload_hash": "1f0a568999441c9368a272f138ed9cd3",
"path_pattern_hash": "9d5b4b02a118c63f9864fb4303c2c2fa"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 66
},
"payload_preview": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36",
"method": "GET",
"path": "\/htdocs\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/htdocs\/.git\/config HTTP\/1.1",
"request_sample": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36",
"evidence": {
"method": "GET",
"path": "\/htdocs\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/htdocs\/.git\/config HTTP\/1.1",
"request_sample": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bd1c70ac3c323b864fc9cf3735224d481313a594",
"protocol_details": {
"http_method": "GET",
"http_path": "\/htdocs\/.git\/config",
"request_line": "GET \/htdocs\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/htdocs\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 66,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/htdocs\/.git\/config",
"request_line": "GET \/htdocs\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/htdocs\/.git\/config",
"evidence_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /dist/.git/config
Élevée
Élevé · 66
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /dist/.git/config UA Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.16823/1428; U; en) Presto…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/dist/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/dist/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 66
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /dist/.git/config HTTP/1.1
User-Agent
Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.16823/1428; U; en) Presto/2.2.0
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /dist/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.16823/1428; U; en) Pres
Requête brute (extrait)
GET /dist/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.16823/1428; U; en) Presto/2.2.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "09a4b3e3917fbeeac28c7a1a64a80cf7ec659ff3",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "b2ec2395164738dbd60ce81f264be6255104bfff",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 205,
"payload_entropy": 5.240053222420036,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 66,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "f293b8f0ca5b32c21e232c166a3b554b9c9997bf",
"event_fingerprint": "a262e4bdfa9d11618614344217869734be7f2324",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "bd63bc1a2a5969253f7255ca4aa2418e",
"payload_hash": "5ade1babb61f41eaa0a3f64ef225954c",
"path_pattern_hash": "dd1606cd54dc95eed2c024184678427e"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 66
},
"payload_preview": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Pres",
"method": "GET",
"path": "\/dist\/.git\/config",
"user_agent": "Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Presto\/2.2.0",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/dist\/.git\/config HTTP\/1.1",
"request_sample": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Presto\/2.2.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Pres",
"evidence": {
"method": "GET",
"path": "\/dist\/.git\/config",
"user_agent": "Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Presto\/2.2.0",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/dist\/.git\/config HTTP\/1.1",
"request_sample": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Presto\/2.2.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Pres",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6878d555ae4b3d173b76c476ac571b287b4c9116",
"protocol_details": {
"http_method": "GET",
"http_path": "\/dist\/.git\/config",
"request_line": "GET \/dist\/.git\/config HTTP\/1.1",
"http_user_agent": "Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Presto\/2.2.0",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Pres",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 66,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/dist\/.git\/config",
"request_line": "GET \/dist\/.git\/config HTTP\/1.1",
"http_user_agent": "Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Presto\/2.2.0",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/.git\/config",
"evidence_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Pres",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /www/.git/config
Élevée
Élevé · 66
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /www/.git/config UA Mozilla/5.0 (Linux; Android 7.1.1; Moto G Play) AppleWebKit/537…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/www/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/www/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 66
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /www/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 7.1.1; Moto G Play) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /www/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Moto G Play) AppleWebKit/53
Requête brute (extrait)
GET /www/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Moto G Play) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "208a5cbf0fc7d240848063dbff88d6709f96c8b9",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "7b5c6d1b9506a8d5fe958dbcf1ffdcdd61f34f9e",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 263,
"payload_entropy": 5.3977859432310415,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 66,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "f293b8f0ca5b32c21e232c166a3b554b9c9997bf",
"event_fingerprint": "be74932472d2e1ada3681d06d908b6c9c909a4af",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "228909d23038f057c842d65ee94d2358",
"payload_hash": "10c3629edf3cd3b21911c4a32a60d920",
"path_pattern_hash": "2067f182832f5bbc5f3205656471af53"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 66
},
"payload_preview": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Moto G Play) AppleWebKit\/53",
"method": "GET",
"path": "\/www\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; Moto G Play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/www\/.git\/config HTTP\/1.1",
"request_sample": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Moto G Play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl",
"payload_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Moto G Play) AppleWebKit\/53",
"evidence": {
"method": "GET",
"path": "\/www\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; Moto G Play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/www\/.git\/config HTTP\/1.1",
"request_sample": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Moto G Play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl",
"payload_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Moto G Play) AppleWebKit\/53",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4dbc43c1a6124efde6cef4b970c344284beed83a",
"protocol_details": {
"http_method": "GET",
"http_path": "\/www\/.git\/config",
"request_line": "GET \/www\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; Moto G Play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safa\u2026",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Moto G Play) AppleWebKit\/53",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/www\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 66,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/www\/.git\/config",
"request_line": "GET \/www\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; Moto G Play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safa\u2026",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/www\/.git\/config",
"evidence_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Moto G Play) AppleWebKit\/53",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /portal/.git/config
Élevée
Élevé · 66
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /portal/.git/config UA Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.15 (K…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/portal/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/portal/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 66
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /portal/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.15 (KHTML, like Gecko) Chrome/10.0.613.0 Safari/534.15
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /portal/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.1
Requête brute (extrait)
GET /portal/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.15 (KHTML, like Gecko) Chrome/10.0.613.0 Safari/534.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "be1b0422073ac373e9c719ca6b743a7fcb737ca2",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "c6c2b01731ed2b569c9ab907e9a96206a2cfc6cc",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 250,
"payload_entropy": 5.403590983061974,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 66,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "f293b8f0ca5b32c21e232c166a3b554b9c9997bf",
"event_fingerprint": "5cd17f7f9b5ca62c72ac1c29221fffb6d413b473",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "729eda3df9bea18b602258c2de583c94",
"payload_hash": "e5aaefecfb925cb713cf7a7bce05b866",
"path_pattern_hash": "b68e69ddda3386f78de437bb71fa9236"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 66
},
"payload_preview": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.1",
"method": "GET",
"path": "\/portal\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Chrome\/10.0.613.0 Safari\/534.15",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/portal\/.git\/config HTTP\/1.1",
"request_sample": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Chrome\/10.0.613.0 Safari\/534.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.1",
"evidence": {
"method": "GET",
"path": "\/portal\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Chrome\/10.0.613.0 Safari\/534.15",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/portal\/.git\/config HTTP\/1.1",
"request_sample": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Chrome\/10.0.613.0 Safari\/534.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.1",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "86712b4ec07b212e52663084434d21fc6855befd",
"protocol_details": {
"http_method": "GET",
"http_path": "\/portal\/.git\/config",
"request_line": "GET \/portal\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Chrome\/10.0.613.0 Safari\/534.15",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.1",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/portal\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 66,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/portal\/.git\/config",
"request_line": "GET \/portal\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Chrome\/10.0.613.0 Safari\/534.15",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/portal\/.git\/config",
"evidence_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.1",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /wp-content/.git/config
Élevée
Moyen · 62
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /wp-content/.git/config UA SonyEricssonW810i/R4EA Browser/NetFront/3.3 Profile/MIDP-2.0 Co…
Émulateur
HTTP
WAF
20
Recommandation
Investiguer
Tags
950468:nosqli-3
950470:nosqli-3
950513:leak-0
http_backup_file_scan
Cible HTTP
GET
/wp-content/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/wp-content/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 62
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /wp-content/.git/config HTTP/1.1
User-Agent
SonyEricssonW810i/R4EA Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0
Règles WAF
nosqli-3
leak-0
Payload (extrait)
GET /wp-content/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: SonyEricssonW810i/R4EA Browser/NetFront/3.3 Profile/MID
Requête brute (extrait)
GET /wp-content/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: SonyEricssonW810i/R4EA Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "5eb0afc57bd11aa7abf9efc5e8e450b72f4e5475",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "1cbb6121d6675be288abb212d6a93556d924de3d",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 243,
"payload_entropy": 5.232905081402206,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 88,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 62,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "cd53a447cf8aaff8e2cb30b85e13e544802b970a",
"event_fingerprint": "66ff53d6c0aa75f334ac30a77dc49069005c777e",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 62,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "955f0c754fbeaecfd26cdcc94f2dc21c",
"payload_hash": "a19ec4c8c54e30263f96588fa4f1d135",
"path_pattern_hash": "653b421a6e10a22436e18cc595f6a1ee"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 62
},
"payload_preview": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: SonyEricssonW810i\/R4EA Browser\/NetFront\/3.3 Profile\/MID",
"method": "GET",
"path": "\/wp-content\/.git\/config",
"user_agent": "SonyEricssonW810i\/R4EA Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"nosqli-3",
"leak-0"
],
"request_line": "GET \/wp-content\/.git\/config HTTP\/1.1",
"request_sample": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: SonyEricssonW810i\/R4EA Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: SonyEricssonW810i\/R4EA Browser\/NetFront\/3.3 Profile\/MID",
"evidence": {
"method": "GET",
"path": "\/wp-content\/.git\/config",
"user_agent": "SonyEricssonW810i\/R4EA Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"nosqli-3",
"leak-0"
],
"request_line": "GET \/wp-content\/.git\/config HTTP\/1.1",
"request_sample": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: SonyEricssonW810i\/R4EA Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: SonyEricssonW810i\/R4EA Browser\/NetFront\/3.3 Profile\/MID",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e50ace0c5a73d29017750fcdf59d13690765096b",
"protocol_details": {
"http_method": "GET",
"http_path": "\/wp-content\/.git\/config",
"request_line": "GET \/wp-content\/.git\/config HTTP\/1.1",
"http_user_agent": "SonyEricssonW810i\/R4EA Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: SonyEricssonW810i\/R4EA Browser\/NetFront\/3.3 Profile\/MID",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-content\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 62,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 62,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/wp-content\/.git\/config",
"request_line": "GET \/wp-content\/.git\/config HTTP\/1.1",
"http_user_agent": "SonyEricssonW810i\/R4EA Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-content\/.git\/config",
"evidence_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: SonyEricssonW810i\/R4EA Browser\/NetFront\/3.3 Profile\/MID",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 88 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /app/.git/config
Élevée
Élevé · 66
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /app/.git/config UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/app/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/app/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 66
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /app/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /app/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, lik
Requête brute (extrait)
GET /app/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "b7dbb77006289d2a6ac7f75e37f57d67bcd72a30",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "c0d576333b61f38bb5785040d2824435407a4c84",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 239,
"payload_entropy": 5.440333098433019,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 66,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "f293b8f0ca5b32c21e232c166a3b554b9c9997bf",
"event_fingerprint": "240dce736f96efb0bb4834347e9633a432b6fce6",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "cb8a40895595a09db62be954eef4a952",
"payload_hash": "238c46b5b123dd141368afd030641d00",
"path_pattern_hash": "87d63e686c8d80bd28afc993649c7598"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 66
},
"payload_preview": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik",
"method": "GET",
"path": "\/app\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.92 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/app\/.git\/config HTTP\/1.1",
"request_sample": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.92 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik",
"evidence": {
"method": "GET",
"path": "\/app\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.92 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/app\/.git\/config HTTP\/1.1",
"request_sample": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.92 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "479b66c77267e1ab41ef4aa901adbb7e55c5dde1",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.git\/config",
"request_line": "GET \/app\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.92 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 66,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.git\/config",
"request_line": "GET \/app\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.92 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.git\/config",
"evidence_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /v2/.git/config
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /v2/.git/config UA Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0)
Émulateur
HTTP
WAF
35
Recommandation
Investiguer
Tags
950316:lfi-14
950326:rce-0
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/v2/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/v2/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /v2/.git/config HTTP/1.1
User-Agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0)
Règles WAF
lfi-14
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /v2/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0)
Requête brute (extrait)
GET /v2/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "63de3922903cd2b9b24b1d2bd23e4deb1b136a2e",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "3a5f2466c34928bb38a61b739c70bfc69a077a30",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 197,
"payload_entropy": 5.295155802715405,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "59994eed54168eafba5ba44522a9d8c2d853dcb8",
"event_fingerprint": "ee1156ebf87c733471a90da0f807819f6dec5921",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b2a4aaa6e64a823983ffd070c36d1dd5",
"payload_hash": "00f12b366497c00183afa2994a7f708c",
"path_pattern_hash": "fcafe4006602b874bcf9d18118e88566"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/5.0)",
"method": "GET",
"path": "\/v2\/.git\/config",
"user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/5.0)",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/v2\/.git\/config HTTP\/1.1",
"request_sample": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/5.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/5.0)",
"evidence": {
"method": "GET",
"path": "\/v2\/.git\/config",
"user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/5.0)",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/v2\/.git\/config HTTP\/1.1",
"request_sample": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/5.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/5.0)",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3320744fc7dbdf52805282dc0b9d14e065c853d8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v2\/.git\/config",
"request_line": "GET \/v2\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/5.0)",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/5.0)",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v2\/.git\/config",
"request_line": "GET \/v2\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/5.0)",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/.git\/config",
"evidence_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/5.0)",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /blog/.git/config
Élevée
Moyen · 62
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /blog/.git/config UA SonyEricssonW850i/R1ED Browser/NetFront/3.3 Profile/MIDP-2.0 Co…
Émulateur
HTTP
WAF
20
Recommandation
Investiguer
Tags
950468:nosqli-3
950470:nosqli-3
950513:leak-0
http_backup_file_scan
Cible HTTP
GET
/blog/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/blog/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 62
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /blog/.git/config HTTP/1.1
User-Agent
SonyEricssonW850i/R1ED Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1
Règles WAF
nosqli-3
leak-0
Payload (extrait)
GET /blog/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: SonyEricssonW850i/R1ED Browser/NetFront/3.3 Profile/MIDP-2.0
Requête brute (extrait)
GET /blog/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: SonyEricssonW850i/R1ED Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "8a3240f5169197010bb3ea637c2e68ffdccece7c",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "1813dede65bdf71d338345f47e16a42344128e28",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 219,
"payload_entropy": 5.241766439100421,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 88,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 62,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "cd53a447cf8aaff8e2cb30b85e13e544802b970a",
"event_fingerprint": "451fc424880060c8d915fba7f7c21a8bef866f50",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 62,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "5d36d896bcdf3801db5d90cc14b43692",
"payload_hash": "6066c5eb5d017b557ec669f3a6eba9a2",
"path_pattern_hash": "daa6f35b77a4b5cee3d40cc9dc6869ad"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 62
},
"payload_preview": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0 ",
"method": "GET",
"path": "\/blog\/.git\/config",
"user_agent": "SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"nosqli-3",
"leak-0"
],
"request_line": "GET \/blog\/.git\/config HTTP\/1.1",
"request_sample": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0",
"evidence": {
"method": "GET",
"path": "\/blog\/.git\/config",
"user_agent": "SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"nosqli-3",
"leak-0"
],
"request_line": "GET \/blog\/.git\/config HTTP\/1.1",
"request_sample": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0a3b1ef3c333d297b8de3d3905909ed94591ca4d",
"protocol_details": {
"http_method": "GET",
"http_path": "\/blog\/.git\/config",
"request_line": "GET \/blog\/.git\/config HTTP\/1.1",
"http_user_agent": "SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/blog\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 62,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 62,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/blog\/.git\/config",
"request_line": "GET \/blog\/.git\/config HTTP\/1.1",
"http_user_agent": "SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/blog\/.git\/config",
"evidence_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: SonyEricssonW850i\/R1ED Browser\/NetFront\/3.3 Profile\/MIDP-2.0",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 88 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /shop/.git/config
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /shop/.git/config UA Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/shop/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/shop/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /shop/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.114 Safari/537.36 Puffin/4.8.0.2965AT
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /shop/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/537.36
Requête brute (extrait)
GET /shop/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.114 Safari/537.36 Puffin/4.8.0.2965AT Accept-Charset: utf-8 Accept-Encoding: gzip Conne
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "2867558a8a8f83bc4d626242437291566c64da55",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "802d0aecf0b84c68ef00c159917e7dd44f6dfd34",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 272,
"payload_entropy": 5.4414281678080805,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "e85a1b59f0169d110a14becc24f2c7604cdb0c7a",
"event_fingerprint": "cbe2c1be7c5506d4467391c2ddb76be352f399fb",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "7235a8cab859a9f68b9ff7960d50b124",
"payload_hash": "972fc93a25f432a25835f520189ff0e5",
"path_pattern_hash": "6603e8dbaffaf78a6758aff077d9de4a"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit\/537.36 ",
"method": "GET",
"path": "\/shop\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.114 Safari\/537.36 Puffin\/4.8.0.2965AT",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/shop\/.git\/config HTTP\/1.1",
"request_sample": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.114 Safari\/537.36 Puffin\/4.8.0.2965AT\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne",
"payload_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit\/537.36",
"evidence": {
"method": "GET",
"path": "\/shop\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.114 Safari\/537.36 Puffin\/4.8.0.2965AT",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/shop\/.git\/config HTTP\/1.1",
"request_sample": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.114 Safari\/537.36 Puffin\/4.8.0.2965AT\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne",
"payload_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit\/537.36",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "281fe20a5a4d6ab86614669a28bed3e3ec5c46b4",
"protocol_details": {
"http_method": "GET",
"http_path": "\/shop\/.git\/config",
"request_line": "GET \/shop\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.114 Safari\/537.36 Pu\u2026",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit\/537.36",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/shop\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/shop\/.git\/config",
"request_line": "GET \/shop\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.114 Safari\/537.36 Pu\u2026",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/shop\/.git\/config",
"evidence_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit\/537.36",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_shop",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /dashboard/.git/config
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /dashboard/.git/config UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/dashboard/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/dashboard/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /dashboard/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /dashboard/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537
Requête brute (extrait)
GET /dashboard/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "d132bdde37af872e8ac493c8cc22b5595d4ef1ac",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "8e8dab3e424b71a244774110fadcc774ba40fa59",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 254,
"payload_entropy": 5.435676155559468,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "d32c82105e72b5439da62b98b943e911b898b3f0",
"event_fingerprint": "728e3777edd0dcfddd74cf1326ba6ff498071a72",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "57819b3b23420452ac601ea97c8e21ea",
"payload_hash": "8296bb865808588fc82754339de392f9",
"path_pattern_hash": "33b0aba70ccc7970e9e866f8e50aaddb"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537",
"method": "GET",
"path": "\/dashboard\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/dashboard\/.git\/config HTTP\/1.1",
"request_sample": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537",
"evidence": {
"method": "GET",
"path": "\/dashboard\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/dashboard\/.git\/config HTTP\/1.1",
"request_sample": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9aa17932634fcc09114380c416ad69fcef0d9a66",
"protocol_details": {
"http_method": "GET",
"http_path": "\/dashboard\/.git\/config",
"request_line": "GET \/dashboard\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dashboard\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/dashboard\/.git\/config",
"request_line": "GET \/dashboard\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dashboard\/.git\/config",
"evidence_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_traefik",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /laravel/.git/config
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /laravel/.git/config UA facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_u…
Émulateur
HTTP
WAF
34
Recommandation
Investiguer
Tags
950310:lfi-12
950406:ssrf-3
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/laravel/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/laravel/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « lfi-12 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /laravel/.git/config HTTP/1.1
User-Agent
facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
Règles WAF
lfi-12
ssrf-3
nosqli-3
leak-0
Payload (extrait)
GET /laravel/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: facebookexternalhit/1.1 (+http://www.facebook.com/external
Requête brute (extrait)
GET /laravel/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "b1b8a850aec98eb3184fe6a227dee75dd09e304a",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "ff65c052e15f784544b91aafeff8e6c3f996fc2a",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 212,
"payload_entropy": 5.163260750435598,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "48e244dbbadd70e6c0266c42ae9aacb5ab5db590",
"event_fingerprint": "0f41a2d51bcb9b9ecb69846f0ef8df4f51d0e49b",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "4ca5853667f48de3a0c8bf187a523c50",
"payload_hash": "c4e5980f02411717a1b598437a4a4913",
"path_pattern_hash": "3a3de1279fd8fe4dc4799f8620f7768e"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: facebookexternalhit\/1.1 (+http:\/\/www.facebook.com\/external",
"method": "GET",
"path": "\/laravel\/.git\/config",
"user_agent": "facebookexternalhit\/1.1 (+http:\/\/www.facebook.com\/externalhit_uatext.php)",
"waf_tags": [
"950310:lfi-12",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-12",
"ssrf-3",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/laravel\/.git\/config HTTP\/1.1",
"request_sample": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: facebookexternalhit\/1.1 (+http:\/\/www.facebook.com\/externalhit_uatext.php)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: facebookexternalhit\/1.1 (+http:\/\/www.facebook.com\/external",
"evidence": {
"method": "GET",
"path": "\/laravel\/.git\/config",
"user_agent": "facebookexternalhit\/1.1 (+http:\/\/www.facebook.com\/externalhit_uatext.php)",
"waf_tags": [
"950310:lfi-12",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-12",
"ssrf-3",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/laravel\/.git\/config HTTP\/1.1",
"request_sample": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: facebookexternalhit\/1.1 (+http:\/\/www.facebook.com\/externalhit_uatext.php)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: facebookexternalhit\/1.1 (+http:\/\/www.facebook.com\/external",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f6a81bfc8489fdf8a6ebc8b92fac4be0343d3ca1",
"protocol_details": {
"http_method": "GET",
"http_path": "\/laravel\/.git\/config",
"request_line": "GET \/laravel\/.git\/config HTTP\/1.1",
"http_user_agent": "facebookexternalhit\/1.1 (+http:\/\/www.facebook.com\/externalhit_uatext.php)",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: facebookexternalhit\/1.1 (+http:\/\/www.facebook.com\/external",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/laravel\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/laravel\/.git\/config",
"request_line": "GET \/laravel\/.git\/config HTTP\/1.1",
"http_user_agent": "facebookexternalhit\/1.1 (+http:\/\/www.facebook.com\/externalhit_uatext.php)",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/laravel\/.git\/config",
"evidence_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: facebookexternalhit\/1.1 (+http:\/\/www.facebook.com\/external",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950310:lfi-12",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /symfony/.git/config
Élevée
Élevé · 66
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /symfony/.git/config UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, …
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/symfony/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/symfony/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 66
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /symfony/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /symfony/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KH
Requête brute (extrait)
GET /symfony/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "a2bc8a66d217f6cc1c17827aa0c7cd8356021630",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "256775bfb3e8fd0855bebb6ef917cf83cff8a368",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 247,
"payload_entropy": 5.455681440610669,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 66,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "f293b8f0ca5b32c21e232c166a3b554b9c9997bf",
"event_fingerprint": "67222cd85db73701b5686bbac4378b7455713004",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "e0576f3a0ae19cfab7b31303c43bf668",
"payload_hash": "d5447982941f5e7687ab34532d29581a",
"path_pattern_hash": "8b0b254049cc28b88f641713d31106e0"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 66
},
"payload_preview": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KH",
"method": "GET",
"path": "\/symfony\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/symfony\/.git\/config HTTP\/1.1",
"request_sample": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KH",
"evidence": {
"method": "GET",
"path": "\/symfony\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/symfony\/.git\/config HTTP\/1.1",
"request_sample": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KH",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "90d4d0c97042eda74cba89123cfa9e8ba00ee22a",
"protocol_details": {
"http_method": "GET",
"http_path": "\/symfony\/.git\/config",
"request_line": "GET \/symfony\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KH",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/symfony\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 66,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/symfony\/.git\/config",
"request_line": "GET \/symfony\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/symfony\/.git\/config",
"evidence_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KH",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /project/.git/config
Élevée
Élevé · 66
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /project/.git/config UA Mozilla/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit/537.36…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/project/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/project/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 66
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /project/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /project/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit/5
Requête brute (extrait)
GET /project/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: c
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "eb5f562431d2b2be668cefafcbd8068399b65a16",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "68976db99265042d7b0c3b91df3fbefc1a56cd37",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 264,
"payload_entropy": 5.386550161212976,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 66,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "f293b8f0ca5b32c21e232c166a3b554b9c9997bf",
"event_fingerprint": "12aa141930d3f3077d9faf7d7920cdb03f56cf97",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c7f32e4fc5208b6f0c5240836ff4b8ef",
"payload_hash": "d8460d2de5f17c3fbc4fcadc9af90abb",
"path_pattern_hash": "40d5006de80bb36cea868dfbe43c4ff0"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 66
},
"payload_preview": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/5",
"method": "GET",
"path": "\/project\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/project\/.git\/config HTTP\/1.1",
"request_sample": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c",
"payload_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/5",
"evidence": {
"method": "GET",
"path": "\/project\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/project\/.git\/config HTTP\/1.1",
"request_sample": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c",
"payload_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/5",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "16655f5727feb9da28abc08c25150a317b9669f7",
"protocol_details": {
"http_method": "GET",
"http_path": "\/project\/.git\/config",
"request_line": "GET \/project\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/\u2026",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/5",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/project\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 66,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/project\/.git\/config",
"request_line": "GET \/project\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/\u2026",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/project\/.git\/config",
"evidence_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/5",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /code/.git/config
Élevée
Élevé · 66
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /code/.git/config UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/code/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/code/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 66
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /code/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /code/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (
Requête brute (extrait)
GET /code/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "93799164662d1c4517056c596d8144fc6b556370",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "538da175681b2052ab512cad0fb3bd57e81adff0",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 250,
"payload_entropy": 5.41601005382622,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 66,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "f293b8f0ca5b32c21e232c166a3b554b9c9997bf",
"event_fingerprint": "631fb0acc57ae791c21add336b49d9373e522132",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b4075f62679d7d497f6cecb104e09442",
"payload_hash": "21bea7d4fc2fe94996d2c824ede93aaf",
"path_pattern_hash": "dda1558dfc88b8ae947dda6da613b7f7"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 66
},
"payload_preview": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (",
"method": "GET",
"path": "\/code\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/code\/.git\/config HTTP\/1.1",
"request_sample": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (",
"evidence": {
"method": "GET",
"path": "\/code\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/code\/.git\/config HTTP\/1.1",
"request_sample": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7d1072d55bc2ca1fcf3f44748c9af2d7cb0d2d85",
"protocol_details": {
"http_method": "GET",
"http_path": "\/code\/.git\/config",
"request_line": "GET \/code\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/code\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 66,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/code\/.git\/config",
"request_line": "GET \/code\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/code\/.git\/config",
"evidence_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:59 UTC
TCP
8190 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8190 · (tentative d'exploit) · → /wordpress/.git/config
Élevée
Élevé · 66
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /wordpress/.git/config UA Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3.1 (lik…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/wordpress/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/wordpress/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 66
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /wordpress/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3.1 (like Gecko) Fedora/4.3.1-3.fc11
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /wordpress/.git/config HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3
Requête brute (extrait)
GET /wordpress/.git/config HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3.1 (like Gecko) Fedora/4.3.1-3.fc11 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "ae38dbc6bfe938f209cb9dc0a75968fdae269733",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "466d1ef9599315e8ea185d729b1bb7f4ef3f3e3e",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 232,
"payload_entropy": 5.309811076478245,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 66,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "f293b8f0ca5b32c21e232c166a3b554b9c9997bf",
"event_fingerprint": "f3d9b31734c65b96ed718092f098ac799f82c068",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "8b9dfcb2e76e95d03ed4e98f89a5fca9",
"payload_hash": "a0c9b85cb2047fa893f85e6ad1d5ade1",
"path_pattern_hash": "065fde2a84971d9e936ccb4d03006f9c"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 66
},
"payload_preview": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3",
"method": "GET",
"path": "\/wordpress\/.git\/config",
"user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3.1 (like Gecko) Fedora\/4.3.1-3.fc11",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/wordpress\/.git\/config HTTP\/1.1",
"request_sample": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3.1 (like Gecko) Fedora\/4.3.1-3.fc11\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3",
"evidence": {
"method": "GET",
"path": "\/wordpress\/.git\/config",
"user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3.1 (like Gecko) Fedora\/4.3.1-3.fc11",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/wordpress\/.git\/config HTTP\/1.1",
"request_sample": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3.1 (like Gecko) Fedora\/4.3.1-3.fc11\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6ef54fa8e527711207b2797f8990f7f14ebbf73f",
"protocol_details": {
"http_method": "GET",
"http_path": "\/wordpress\/.git\/config",
"request_line": "GET \/wordpress\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3.1 (like Gecko) Fedora\/4.3.1-3.fc11",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3",
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wordpress\/.git\/config",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 66,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 66,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/wordpress\/.git\/config",
"request_line": "GET \/wordpress\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3.1 (like Gecko) Fedora\/4.3.1-3.fc11",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8190 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wordpress\/.git\/config",
"evidence_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.3; Linux) KHTML\/4.3",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
15/06/2026 21:19:56 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
�������������d���$��^bպ�x��G�F�jѺ���K���� ?�j�4�]��i��hl&�Jb�(��C���W��6V��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������d���$��^bպ�x��G�F�jѺ���K���� ?�j�4�]��i��hl&�Jb�(��C���W��6V��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������d���$��^bպ�x��G�F�jѺ���K���� ?�j�4�]��i��hl&�Jb�(��C���W��6V��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� l�*��N�X���4��fZ�3g�Cn�������ŋA
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.883275710562069,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "9b0b07264347085f4a98543cb338a3d0",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000ed\ufffd\ufffd\ufffd$\ufffd\ufffd^b\u057a\ufffdx\u0014\ufffdG\ufffdF\ufffdj\u047a\ufffd\u001a\ufffdK\ufffd\u0004\ufffd\ufffd ?\ufffdj\ufffd4\u0007]\ufffd\u0006i\ufffd\u0010hl&\ufffdJb\ufffd(\ufffd\u0003C\ufffd\ufffd\u0007W\ufffd\ufffd6V\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000ed\ufffd\ufffd\ufffd$\ufffd\ufffd^b\u057a\ufffdx\u0014\ufffdG\ufffdF\ufffdj\u047a\ufffd\u001a\ufffdK\ufffd\u0004\ufffd\ufffd ?\ufffdj\ufffd4\u0007]\ufffd\u0006i\ufffd\u0010hl&\ufffdJb\ufffd(\ufffd\u0003C\ufffd\ufffd\u0007W\ufffd\ufffd6V\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 l\ufffd*\ufffd\ufffdN\ufffdX\ufffd\ufffd\u001d4\ufffd\ufffdfZ\ufffd3g\ufffdCn\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u014bA",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000ed\ufffd\ufffd\ufffd$\ufffd\ufffd^b\u057a\ufffdx\u0014\ufffdG\ufffdF\ufffdj\u047a\ufffd\u001a\ufffdK\ufffd\u0004\ufffd\ufffd ?\ufffdj\ufffd4\u0007]\ufffd\u0006i\ufffd\u0010hl&\ufffdJb\ufffd(\ufffd\u0003C\ufffd\ufffd\u0007W\ufffd\ufffd6V\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6885208d4877a751222c6fb7c86b07f557fc9163",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000ed\ufffd\ufffd\ufffd$\ufffd\ufffd^b\u057a\ufffdx\u0014\ufffdG\ufffdF\ufffdj\u047a\ufffd\u001a\ufffdK\ufffd\u0004\ufffd\ufffd ?\ufffdj\ufffd4\u0007]\ufffd\u0006i\ufffd\u0010hl&\ufffdJb\ufffd(\ufffd\u0003C\ufffd\ufffd\u0007W\ufffd\ufffd6V\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd$\ufffd\ufffd^b\u057a\ufffdx\ufffdG\ufffdF\ufffdj\u047a\ufffd\ufffdK\ufffd\ufffd\ufffd ?\ufffdj\ufffd4]\ufffdi\ufffdhl&\ufffdJb\ufffd(\ufffdC\ufffd\ufffdW\ufffd\ufffd6V\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000ed\ufffd\ufffd\ufffd$\ufffd\ufffd^b\u057a\ufffdx\u0014\ufffdG\ufffdF\ufffdj\u047a\ufffd\u001a\ufffdK\ufffd\u0004\ufffd\ufffd ?\ufffdj\ufffd4\u0007]\ufffd\u0006i\ufffd\u0010hl&\ufffdJb\ufffd(\ufffd\u0003C\ufffd\ufffd\u0007W\ufffd\ufffd6V\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd$\ufffd\ufffd^b\u057a\ufffdx\ufffdG\ufffdF\ufffdj\u047a\ufffd\ufffdK\ufffd\ufffd\ufffd ?\ufffdj\ufffd4]\ufffdi\ufffdhl&\ufffdJb\ufffd(\ufffdC\ufffd\ufffdW\ufffd\ufffd6V\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:56 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
�������������_Q�L.�h�fۖ ��E��V��Z��؟��#>L �(�%<co� '!�M6b��}��6m��:�A����L�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������_Q�L.�h�fۖ���E��V��Z��؟��#>L �(�%<co� '!�M6b��}��6m��:�A����L�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������_Q�L.�h�fۖ ��E��V��Z��؟��#>L �(�%<co� '!�M6b��}��6m��:�A����L�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� Ï�ҬW%�,�钛�jΊ�Bڙ�� YE�7[��"
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.9622126843425445,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "f2c2a6445a8ed3186d0837d65a452dee",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd_Q\ufffdL.\ufffdh\ufffdf\u06d6\u000b\ufffd\ufffdE\ufffd\ufffdV\ufffd\ufffdZ\ufffd\ufffd\u061f\ufffd\ufffd#>L \ufffd(\ufffd%<co\u0011\t'!\ufffdM6b\ufffd\ufffd}\u001b\ufffd6m\ufffd\u0016:\ufffdA\ufffd\ufffd\u0014\ufffdL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd_Q\ufffdL.\ufffdh\ufffdf\u06d6\u000b\ufffd\ufffdE\ufffd\ufffdV\ufffd\ufffdZ\ufffd\ufffd\u061f\ufffd\ufffd#>L \ufffd(\ufffd%<co\u0011\t'!\ufffdM6b\ufffd\ufffd}\u001b\ufffd6m\ufffd\u0016:\ufffdA\ufffd\ufffd\u0014\ufffdL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u00cf\ufffd\u04acW%\ufffd,\ufffd\u949b\ufffdj\u038a\ufffdB\u0699\ufffd\ufffd YE\ufffd7[\u0010\ufffd\"",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd_Q\ufffdL.\ufffdh\ufffdf\u06d6\u000b\ufffd\ufffdE\ufffd\ufffdV\ufffd\ufffdZ\ufffd\ufffd\u061f\ufffd\ufffd#>L \ufffd(\ufffd%<co\u0011\t'!\ufffdM6b\ufffd\ufffd}\u001b\ufffd6m\ufffd\u0016:\ufffdA\ufffd\ufffd\u0014\ufffdL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "760a717c6e254abefdc07fd82eb184cfb178f5d8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd_Q\ufffdL.\ufffdh\ufffdf\u06d6\u000b\ufffd\ufffdE\ufffd\ufffdV\ufffd\ufffdZ\ufffd\ufffd\u061f\ufffd\ufffd#>L \ufffd(\ufffd%<co\u0011\t'!\ufffdM6b\ufffd\ufffd}\u001b\ufffd6m\ufffd\u0016:\ufffdA\ufffd\ufffd\u0014\ufffdL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd_Q\ufffdL.\ufffdh\ufffdf\u06d6\ufffd\ufffdE\ufffd\ufffdV\ufffd\ufffdZ\ufffd\ufffd\u061f\ufffd\ufffd#>L \ufffd(\ufffd%<co\t'!\ufffdM6b\ufffd\ufffd}\ufffd6m\ufffd:\ufffdA\ufffd\ufffd\ufffdL&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd_Q\ufffdL.\ufffdh\ufffdf\u06d6\u000b\ufffd\ufffdE\ufffd\ufffdV\ufffd\ufffdZ\ufffd\ufffd\u061f\ufffd\ufffd#>L \ufffd(\ufffd%<co\u0011\t'!\ufffdM6b\ufffd\ufffd}\u001b\ufffd6m\ufffd\u0016:\ufffdA\ufffd\ufffd\u0014\ufffdL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd_Q\ufffdL.\ufffdh\ufffdf\u06d6\ufffd\ufffdE\ufffd\ufffdV\ufffd\ufffdZ\ufffd\ufffd\u061f\ufffd\ufffd#>L \ufffd(\ufffd%<co\t'!\ufffdM6b\ufffd\ufffd}\ufffd6m\ufffd:\ufffdA\ufffd\ufffd\ufffdL&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:56 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
�����������E�Y�*������ ���YI]\$7�h������{p� j�h7��S�8����n�qZ�߁��� ���N�Wn�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������E�Y�*������ ���YI]\$7�h������{p� j�h7��S�8����n�qZ�߁��� ���N�Wn�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������E�Y�*������ ���YI]\$7�h������{p� j�h7��S�8����n�qZ�߁��� ���N�Wn�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �x�Gh��@+��̖c�C��ͯ9��������;
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.897318228257497,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "e92e2be5bc8c640dc54ef56d8f141bf5",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003E\ufffdY\u001e*\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\t\ufffd\u0012\ufffdYI]\\$7\ufffdh\ufffd\ufffd\u0012\ufffd\b\ufffd{p\ufffd j\ufffdh7\ufffd\u0016S\ufffd8\ufffd\u001f\ufffd\ufffdn\ufffdqZ\ufffd\u07c1\ufffd\ufffd\u0002 \ufffd\ufffd\ufffdN\ufffdWn\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003E\ufffdY\u001e*\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\t\ufffd\u0012\ufffdYI]\\$7\ufffdh\ufffd\ufffd\u0012\ufffd\b\ufffd{p\ufffd j\ufffdh7\ufffd\u0016S\ufffd8\ufffd\u001f\ufffd\ufffdn\ufffdqZ\ufffd\u07c1\ufffd\ufffd\u0002 \ufffd\ufffd\ufffdN\ufffdWn\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdx\ufffdGh\ufffd\ufffd@+\ufffd\ufffd\u0316c\u001eC\u0017\ufffd\u036f9\ufffd\u0015\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003E\ufffdY\u001e*\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\t\ufffd\u0012\ufffdYI]\\$7\ufffdh\ufffd\ufffd\u0012\ufffd\b\ufffd{p\ufffd j\ufffdh7\ufffd\u0016S\ufffd8\ufffd\u001f\ufffd\ufffdn\ufffdqZ\ufffd\u07c1\ufffd\ufffd\u0002 \ufffd\ufffd\ufffdN\ufffdWn\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a692c814d5beaed84f43de791e768c8513314e8c",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003E\ufffdY\u001e*\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\t\ufffd\u0012\ufffdYI]\\$7\ufffdh\ufffd\ufffd\u0012\ufffd\b\ufffd{p\ufffd j\ufffdh7\ufffd\u0016S\ufffd8\ufffd\u001f\ufffd\ufffdn\ufffdqZ\ufffd\u07c1\ufffd\ufffd\u0002 \ufffd\ufffd\ufffdN\ufffdWn\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdE\ufffdY*\ufffd\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffdYI]\\$7\ufffdh\ufffd\ufffd\ufffd\ufffd{p\ufffd j\ufffdh7\ufffdS\ufffd8\ufffd\ufffd\ufffdn\ufffdqZ\ufffd\u07c1\ufffd\ufffd \ufffd\ufffd\ufffdN\ufffdWn&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003E\ufffdY\u001e*\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\t\ufffd\u0012\ufffdYI]\\$7\ufffdh\ufffd\ufffd\u0012\ufffd\b\ufffd{p\ufffd j\ufffdh7\ufffd\u0016S\ufffd8\ufffd\u001f\ufffd\ufffdn\ufffdqZ\ufffd\u07c1\ufffd\ufffd\u0002 \ufffd\ufffd\ufffdN\ufffdWn\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdE\ufffdY*\ufffd\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffdYI]\\$7\ufffdh\ufffd\ufffd\ufffd\ufffd{p\ufffd j\ufffdh7\ufffdS\ufffd8\ufffd\ufffd\ufffdn\ufffdqZ\ufffd\u07c1\ufffd\ufffd \ufffd\ufffd\ufffdN\ufffdWn&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:56 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
�����������w%��������~4�������H ���ǯ�)W ��E�"䆜��J@��� �-���E��JC��HL�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������w%��������~4�������H ���ǯ�)W ��E�"䆜��J@�����-���E��JC��HL�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������w%��������~4�������H ���ǯ�)W ��E�"䆜��J@��� �-���E��JC��HL�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��:%tA��6������~�>�^YM<L��� �4
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.813539859726967,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "ef6b8dcf6a37a217a19d37fb7d1eeb97",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003w%\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\ufffd~4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH \ufffd\ufffd\ufffd\u01ef\ufffd)W \ufffd\ufffdE\ufffd\"\u419c\ufffd\u000eJ@\ufffd\ufffd\ufffd\u000b\ufffd-\ufffd\ufffd\ufffdE\ufffd\ufffdJC\ufffd\ufffdHL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003w%\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\ufffd~4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH \ufffd\ufffd\ufffd\u01ef\ufffd)W \ufffd\ufffdE\ufffd\"\u419c\ufffd\u000eJ@\ufffd\ufffd\ufffd\u000b\ufffd-\ufffd\ufffd\ufffdE\ufffd\ufffdJC\ufffd\ufffdHL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd:%tA\u001a\ufffd6\ufffd\u0005\ufffd\ufffd\ufffd\ufffd~\ufffd>\ufffd^YM<L\ufffd\ufffd\ufffd \ufffd4",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003w%\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\ufffd~4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH \ufffd\ufffd\ufffd\u01ef\ufffd)W \ufffd\ufffdE\ufffd\"\u419c\ufffd\u000eJ@\ufffd\ufffd\ufffd\u000b\ufffd-\ufffd\ufffd\ufffdE\ufffd\ufffdJC\ufffd\ufffdHL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b8db616aec631bba0926315a69874d7360d70f9a",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003w%\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\ufffd~4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH \ufffd\ufffd\ufffd\u01ef\ufffd)W \ufffd\ufffdE\ufffd\"\u419c\ufffd\u000eJ@\ufffd\ufffd\ufffd\u000b\ufffd-\ufffd\ufffd\ufffdE\ufffd\ufffdJC\ufffd\ufffdHL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdw%\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd~4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH \ufffd\ufffd\ufffd\u01ef\ufffd)W \ufffd\ufffdE\ufffd\"\u419c\ufffdJ@\ufffd\ufffd\ufffd\ufffd-\ufffd\ufffd\ufffdE\ufffd\ufffdJC\ufffd\ufffdHL&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003w%\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\ufffd~4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH \ufffd\ufffd\ufffd\u01ef\ufffd)W \ufffd\ufffdE\ufffd\"\u419c\ufffd\u000eJ@\ufffd\ufffd\ufffd\u000b\ufffd-\ufffd\ufffd\ufffdE\ufffd\ufffdJC\ufffd\ufffdHL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdw%\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd~4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH \ufffd\ufffd\ufffd\u01ef\ufffd)W \ufffd\ufffdE\ufffd\"\u419c\ufffdJ@\ufffd\ufffd\ufffd\ufffd-\ufffd\ufffd\ufffdE\ufffd\ufffdJC\ufffd\ufffdHL&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:55 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
�����������o����෨�{���B����mM d����� ���� ���-��Ĉ[��2F�u�jj�V�ۭ��T�pwo�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������o����෨�{���B����mM d�����
���� ���-��Ĉ[��2F�u�jj�V�ۭ��T�pwo�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������o����෨�{���B����mM d����� ���� ���-��Ĉ[��2F�u�jj�V�ۭ��T�pwo�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� f���XKm���R/`��<�����26 �ŋ�nj?C
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.902110056825389,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "24bcebff10404d0af41a9399f87c403d",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003o\ufffd\ufffd\u001d\ufffd\u0de8\ufffd{\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffdmM\td\ufffd\ufffd\u0017\ufffd\ufffd\r\ufffd\ufffd\u0015\ufffd \ufffd\ufffd\ufffd-\ufffd\ufffd\u0108[\u001c\ufffd2F\ufffdu\ufffdjj\ufffdV\ufffd\u06ed\ufffd\u000fT\u0014pwo\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003o\ufffd\ufffd\u001d\ufffd\u0de8\ufffd{\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffdmM\td\ufffd\ufffd\u0017\ufffd\ufffd\r\ufffd\ufffd\u0015\ufffd \ufffd\ufffd\ufffd-\ufffd\ufffd\u0108[\u001c\ufffd2F\ufffdu\ufffdjj\ufffdV\ufffd\u06ed\ufffd\u000fT\u0014pwo\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 f\ufffd\ufffd\ufffdXKm\u001a\ufffd\ufffdR\/`\ufffd\ufffd<\ufffd\ufffd\u0014\ufffd\ufffd26\n\ufffd\u014b\ufffdnj?C",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003o\ufffd\ufffd\u001d\ufffd\u0de8\ufffd{\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffdmM\td\ufffd\ufffd\u0017\ufffd\ufffd\r\ufffd\ufffd\u0015\ufffd \ufffd\ufffd\ufffd-\ufffd\ufffd\u0108[\u001c\ufffd2F\ufffdu\ufffdjj\ufffdV\ufffd\u06ed\ufffd\u000fT\u0014pwo\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9ba77c04f1400c8f52ea92ddc71e88b409f45b13",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003o\ufffd\ufffd\u001d\ufffd\u0de8\ufffd{\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffdmM\td\ufffd\ufffd\u0017\ufffd\ufffd\r\ufffd\ufffd\u0015\ufffd \ufffd\ufffd\ufffd-\ufffd\ufffd\u0108[\u001c\ufffd2F\ufffdu\ufffdjj\ufffdV\ufffd\u06ed\ufffd\u000fT\u0014pwo\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdo\ufffd\ufffd\ufffd\u0de8\ufffd{\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffdmM\td\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd-\ufffd\ufffd\u0108[\ufffd2F\ufffdu\ufffdjj\ufffdV\ufffd\u06ed\ufffdTpwo&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003o\ufffd\ufffd\u001d\ufffd\u0de8\ufffd{\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffdmM\td\ufffd\ufffd\u0017\ufffd\ufffd\r\ufffd\ufffd\u0015\ufffd \ufffd\ufffd\ufffd-\ufffd\ufffd\u0108[\u001c\ufffd2F\ufffdu\ufffdjj\ufffdV\ufffd\u06ed\ufffd\u000fT\u0014pwo\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdo\ufffd\ufffd\ufffd\u0de8\ufffd{\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffdmM\td\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd-\ufffd\ufffd\u0108[\ufffd2F\ufffdu\ufffdjj\ufffdV\ufffd\u06ed\ufffdTpwo&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:55 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
��������������A�B������}^f�܅��l�������f��� ~�� ��^�g�ca� �q���A�����֞���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������A�B������}^f�܅��l�������f��� ~��
��^�g�ca� �q���A�����֞���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������A�B������}^f�܅��l�������f��� ~�� ��^�g�ca� �q���A�����֞���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��wn�s��C���*������EwX���:���Q�g
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.857110527527633,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "73953ba7470f14e2d939c046dcba1595",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0010\ufffdA\u0011B\u0016\ufffd\ufffd\ufffd\u001e\ufffd}^f\ufffd\u0705\ufffd\ufffdl\ufffd\ufffd\ufffd\u0004\ufffd\ufffd\ufffdf\ufffd\u0007\u0014 ~\ufffd\ufffd\n\ufffd\ufffd^\ufffdg\ufffdca\ufffd \ufffdq\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\u0017\u001c\u059e\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0010\ufffdA\u0011B\u0016\ufffd\ufffd\ufffd\u001e\ufffd}^f\ufffd\u0705\ufffd\ufffdl\ufffd\ufffd\ufffd\u0004\ufffd\ufffd\ufffdf\ufffd\u0007\u0014 ~\ufffd\ufffd\n\ufffd\ufffd^\ufffdg\ufffdca\ufffd \ufffdq\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\u0017\u001c\u059e\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdwn\ufffds\u000f\ufffdC\ufffd\ufffd\ufffd*\ufffd\ufffd\u0013\ufffd\ufffd\ufffdEwX\ufffd\u001d\ufffd:\ufffd\u0015\ufffdQ\ufffdg",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0010\ufffdA\u0011B\u0016\ufffd\ufffd\ufffd\u001e\ufffd}^f\ufffd\u0705\ufffd\ufffdl\ufffd\ufffd\ufffd\u0004\ufffd\ufffd\ufffdf\ufffd\u0007\u0014 ~\ufffd\ufffd\n\ufffd\ufffd^\ufffdg\ufffdca\ufffd \ufffdq\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\u0017\u001c\u059e\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "02e034b6053dd92cda2bb4fb0cf813b474e66b46",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0010\ufffdA\u0011B\u0016\ufffd\ufffd\ufffd\u001e\ufffd}^f\ufffd\u0705\ufffd\ufffdl\ufffd\ufffd\ufffd\u0004\ufffd\ufffd\ufffdf\ufffd\u0007\u0014 ~\ufffd\ufffd\n\ufffd\ufffd^\ufffdg\ufffdca\ufffd \ufffdq\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\u0017\u001c\u059e\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdAB\ufffd\ufffd\ufffd\ufffd}^f\ufffd\u0705\ufffd\ufffdl\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdf\ufffd ~\ufffd\ufffd\n\ufffd\ufffd^\ufffdg\ufffdca\ufffd \ufffdq\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\u059e\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0010\ufffdA\u0011B\u0016\ufffd\ufffd\ufffd\u001e\ufffd}^f\ufffd\u0705\ufffd\ufffdl\ufffd\ufffd\ufffd\u0004\ufffd\ufffd\ufffdf\ufffd\u0007\u0014 ~\ufffd\ufffd\n\ufffd\ufffd^\ufffdg\ufffdca\ufffd \ufffdq\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\u0017\u001c\u059e\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdAB\ufffd\ufffd\ufffd\ufffd}^f\ufffd\u0705\ufffd\ufffdl\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdf\ufffd ~\ufffd\ufffd\n\ufffd\ufffd^\ufffdg\ufffdca\ufffd \ufffdq\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\u059e\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:55 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
������������E�LN���e��=���^Z�������."�=��rO K QM=��zDŽ��/��ǼH�������m�*�j�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������E�LN���e��=���^Z�������."�=��rO K
QM=��zDŽ��/��ǼH�������m�*�j�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������E�LN���e��=���^Z�������."�=��rO K QM=��zDŽ��/��ǼH�������m�*�j�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� Zy�q�5��� _�(뱢�������gC
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.864879218496595,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "d86efb56f98b95a9ea579a7fe8bd59c4",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdE\ufffdLN\u0018\ufffd\ufffde\ufffd\ufffd=\u000f\ufffd\ufffd^Z\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd.\"\ufffd=\ufffd\ufffdrO K\rQM=\ufffd\ufffdz\u01c4\ufffd\ufffd\/\ufffd\u000f\u01fcH\ufffd\ufffd\u0010\ufffd\u0003\ufffd\ufffdm\ufffd*\ufffdj\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdE\ufffdLN\u0018\ufffd\ufffde\ufffd\ufffd=\u000f\ufffd\ufffd^Z\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd.\"\ufffd=\ufffd\ufffdrO K\rQM=\ufffd\ufffdz\u01c4\ufffd\ufffd\/\ufffd\u000f\u01fcH\ufffd\ufffd\u0010\ufffd\u0003\ufffd\ufffdm\ufffd*\ufffdj\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 Zy\ufffdq\udbe3\udc3c\ufffd5\ufffd\ufffd\u001d\f_\ufffd(\ubc62\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000gC",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdE\ufffdLN\u0018\ufffd\ufffde\ufffd\ufffd=\u000f\ufffd\ufffd^Z\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd.\"\ufffd=\ufffd\ufffdrO K\rQM=\ufffd\ufffdz\u01c4\ufffd\ufffd\/\ufffd\u000f\u01fcH\ufffd\ufffd\u0010\ufffd\u0003\ufffd\ufffdm\ufffd*\ufffdj\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "cf443638688092c65cccdca2d338d4f2bd246f35",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdE\ufffdLN\u0018\ufffd\ufffde\ufffd\ufffd=\u000f\ufffd\ufffd^Z\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd.\"\ufffd=\ufffd\ufffdrO K\rQM=\ufffd\ufffdz\u01c4\ufffd\ufffd\/\ufffd\u000f\u01fcH\ufffd\ufffd\u0010\ufffd\u0003\ufffd\ufffdm\ufffd*\ufffdj\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffdE\ufffdLN\ufffd\ufffde\ufffd\ufffd=\ufffd\ufffd^Z\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd.\"\ufffd=\ufffd\ufffdrO K\rQM=\ufffd\ufffdz\u01c4\ufffd\ufffd\/\ufffd\u01fcH\ufffd\ufffd\ufffd\ufffd\ufffdm\ufffd*\ufffdj&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdE\ufffdLN\u0018\ufffd\ufffde\ufffd\ufffd=\u000f\ufffd\ufffd^Z\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd.\"\ufffd=\ufffd\ufffdrO K\rQM=\ufffd\ufffdz\u01c4\ufffd\ufffd\/\ufffd\u000f\u01fcH\ufffd\ufffd\u0010\ufffd\u0003\ufffd\ufffdm\ufffd*\ufffdj\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffdE\ufffdLN\ufffd\ufffde\ufffd\ufffd=\ufffd\ufffd^Z\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd.\"\ufffd=\ufffd\ufffdrO K\rQM=\ufffd\ufffdz\u01c4\ufffd\ufffd\/\ufffd\u01fcH\ufffd\ufffd\ufffd\ufffd\ufffdm\ufffd*\ufffdj&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:55 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
�����������*��y������>��ʅiAvъ�_�%�l��1�2 �To�]������~�����-���<}�4�:j����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������*��y������>��ʅiAvъ�_�%�l��1�2 �To�]������~�����-���<}�4�:j����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������*��y������>��ʅiAvъ�_�%�l��1�2 �To�]������~�����-���<}�4�:j����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� B�N���c������,�,���~n����&T���
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.818639752290142,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "c3992278ddddab20bf934287c96b59a6",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003*\ufffd\u001ay\ufffd\ufffd\u0016\ufffd\ufffd\u0017>\ufffd\ufffd\u0285iAv\u044a\ufffd_\ufffd%\u000fl\ufffd\ufffd1\b2 \u0001To\ufffd]\u001a\u0007\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\u001c\ufffd\ufffd-\ufffd\ufffd\ufffd<}\u00134\ufffd:j\ufffd\ufffd\u000f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003*\ufffd\u001ay\ufffd\ufffd\u0016\ufffd\ufffd\u0017>\ufffd\ufffd\u0285iAv\u044a\ufffd_\ufffd%\u000fl\ufffd\ufffd1\b2 \u0001To\ufffd]\u001a\u0007\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\u001c\ufffd\ufffd-\ufffd\ufffd\ufffd<}\u00134\ufffd:j\ufffd\ufffd\u000f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 B\u0007N\u0003\ufffd\ufffdc\ufffd\ufffd\ufffd\u0000\ufffd\ufffd,\ufffd,\u0530\ufffd\ufffd\ufffd~n\u0017\ufffd\ufffd\ufffd&T\ufffd\ufffd\u0013",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003*\ufffd\u001ay\ufffd\ufffd\u0016\ufffd\ufffd\u0017>\ufffd\ufffd\u0285iAv\u044a\ufffd_\ufffd%\u000fl\ufffd\ufffd1\b2 \u0001To\ufffd]\u001a\u0007\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\u001c\ufffd\ufffd-\ufffd\ufffd\ufffd<}\u00134\ufffd:j\ufffd\ufffd\u000f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0254e4887adf34fef5b49b37a3b7b8d3807e58c6",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003*\ufffd\u001ay\ufffd\ufffd\u0016\ufffd\ufffd\u0017>\ufffd\ufffd\u0285iAv\u044a\ufffd_\ufffd%\u000fl\ufffd\ufffd1\b2 \u0001To\ufffd]\u001a\u0007\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\u001c\ufffd\ufffd-\ufffd\ufffd\ufffd<}\u00134\ufffd:j\ufffd\ufffd\u000f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd*\ufffdy\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\u0285iAv\u044a\ufffd_\ufffd%l\ufffd\ufffd12 To\ufffd]\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\ufffd\ufffd-\ufffd\ufffd\ufffd<}4\ufffd:j\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003*\ufffd\u001ay\ufffd\ufffd\u0016\ufffd\ufffd\u0017>\ufffd\ufffd\u0285iAv\u044a\ufffd_\ufffd%\u000fl\ufffd\ufffd1\b2 \u0001To\ufffd]\u001a\u0007\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\u001c\ufffd\ufffd-\ufffd\ufffd\ufffd<}\u00134\ufffd:j\ufffd\ufffd\u000f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd*\ufffdy\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\u0285iAv\u044a\ufffd_\ufffd%l\ufffd\ufffd12 To\ufffd]\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\ufffd\ufffd-\ufffd\ufffd\ufffd<}4\ufffd:j\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:55 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
�������������aݫD7dY&�f�w��.e*�8r"�6��D��g� .Q_l��)?����vRFM�f���� 8���;��rD�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������aݫD7dY&�f�w��.e*�8r"�6��D��g� .Q_l��)?����vRFM�f���� 8���;��rD�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������aݫD7dY&�f�w��.e*�8r"�6��D��g� .Q_l��)?����vRFM�f���� 8���;��rD�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� Ɍ��$.�g��2M}btp^#��QM�������V�
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.80161806586578,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "e30f9436669aa862a8bd763e34169a07",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0011\ufffda\u076bD7dY&\ufffdf\u0013w\ufffd\u000e.e*\ufffd8r\"\u00136\ufffd\ufffdD\ufffd\ufffdg\u0016 .Q_l\u0000\ufffd)?\ufffd\ufffd\ufffd\ufffdvRFM\ufffdf\ufffd\ufffd\u0019\ufffd 8\ufffd\ufffd\u0002;\ufffd\ufffdrD\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0011\ufffda\u076bD7dY&\ufffdf\u0013w\ufffd\u000e.e*\ufffd8r\"\u00136\ufffd\ufffdD\ufffd\ufffdg\u0016 .Q_l\u0000\ufffd)?\ufffd\ufffd\ufffd\ufffdvRFM\ufffdf\ufffd\ufffd\u0019\ufffd 8\ufffd\ufffd\u0002;\ufffd\ufffdrD\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u024c\ufffd\ufffd$.\ufffdg\u0003\ufffd2M}btp^#\ufffd\ufffdQM\ufffd\u0014\ufffd\ufffd\u0017\ufffd\ufffdV\u0015",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0011\ufffda\u076bD7dY&\ufffdf\u0013w\ufffd\u000e.e*\ufffd8r\"\u00136\ufffd\ufffdD\ufffd\ufffdg\u0016 .Q_l\u0000\ufffd)?\ufffd\ufffd\ufffd\ufffdvRFM\ufffdf\ufffd\ufffd\u0019\ufffd 8\ufffd\ufffd\u0002;\ufffd\ufffdrD\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bc8903dcaa65e68772229bdb50e382c75fa5d36a",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0011\ufffda\u076bD7dY&\ufffdf\u0013w\ufffd\u000e.e*\ufffd8r\"\u00136\ufffd\ufffdD\ufffd\ufffdg\u0016 .Q_l\u0000\ufffd)?\ufffd\ufffd\ufffd\ufffdvRFM\ufffdf\ufffd\ufffd\u0019\ufffd 8\ufffd\ufffd\u0002;\ufffd\ufffdrD\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffda\u076bD7dY&\ufffdfw\ufffd.e*\ufffd8r\"6\ufffd\ufffdD\ufffd\ufffdg .Q_l\ufffd)?\ufffd\ufffd\ufffd\ufffdvRFM\ufffdf\ufffd\ufffd\ufffd 8\ufffd\ufffd;\ufffd\ufffdrD&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0011\ufffda\u076bD7dY&\ufffdf\u0013w\ufffd\u000e.e*\ufffd8r\"\u00136\ufffd\ufffdD\ufffd\ufffdg\u0016 .Q_l\u0000\ufffd)?\ufffd\ufffd\ufffd\ufffdvRFM\ufffdf\ufffd\ufffd\u0019\ufffd 8\ufffd\ufffd\u0002;\ufffd\ufffdrD\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffda\u076bD7dY&\ufffdfw\ufffd.e*\ufffd8r\"6\ufffd\ufffdD\ufffd\ufffdg .Q_l\ufffd)?\ufffd\ufffd\ufffd\ufffdvRFM\ufffdf\ufffd\ufffd\ufffd 8\ufffd\ufffd;\ufffd\ufffdrD&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:55 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
������������o)�k����oZX[���쪴���Ǹ�M�$�.�� �f z�"���(��N� X��4ɲ����ʯ/����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������o)�k����oZX[���쪴���Ǹ�M�$�.�� �f�z�"���(��N� X��4ɲ����ʯ/����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������o)�k����oZX[���쪴���Ǹ�M�$�.�� �f z�"���(��N� X��4ɲ����ʯ/����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��čM�{ ���d�[g-?֭�I ���G�ef�(
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.89238023272793,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "64a03a819498680ae6b96e327394b4d9",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001ao)\ufffdk\ufffd\ufffd\ufffd\ufffdoZX[\ufffd\ufffd\ufffd\ucab4\ufffd\ufffd\ufffd\u01f8\ufffdM\u0016$\ufffd.\ufffd\ufffd \ufffdf\u000bz\ufffd\"\u0018\ufffd\ufffd(\ufffd\ufffdN\ufffd X\ufffd\ufffd4\u0272\ufffd\ufffd\ufffd\ufffd\u02af\/\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001ao)\ufffdk\ufffd\ufffd\ufffd\ufffdoZX[\ufffd\ufffd\ufffd\ucab4\ufffd\ufffd\ufffd\u01f8\ufffdM\u0016$\ufffd.\ufffd\ufffd \ufffdf\u000bz\ufffd\"\u0018\ufffd\ufffd(\ufffd\ufffdN\ufffd X\ufffd\ufffd4\u0272\ufffd\ufffd\ufffd\ufffd\u02af\/\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0010\ufffd\u010dM\ufffd{\f\ufffd\ufffd\ufffdd\ufffd[g-?\u05ad\ufffdI\f\ufffd\ufffd\ufffdG\ufffdef\ufffd(",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001ao)\ufffdk\ufffd\ufffd\ufffd\ufffdoZX[\ufffd\ufffd\ufffd\ucab4\ufffd\ufffd\ufffd\u01f8\ufffdM\u0016$\ufffd.\ufffd\ufffd \ufffdf\u000bz\ufffd\"\u0018\ufffd\ufffd(\ufffd\ufffdN\ufffd X\ufffd\ufffd4\u0272\ufffd\ufffd\ufffd\ufffd\u02af\/\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e694ab361ecccdac6533b9f36e76d96e46862578",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001ao)\ufffdk\ufffd\ufffd\ufffd\ufffdoZX[\ufffd\ufffd\ufffd\ucab4\ufffd\ufffd\ufffd\u01f8\ufffdM\u0016$\ufffd.\ufffd\ufffd \ufffdf\u000bz\ufffd\"\u0018\ufffd\ufffd(\ufffd\ufffdN\ufffd X\ufffd\ufffd4\u0272\ufffd\ufffd\ufffd\ufffd\u02af\/\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdo)\ufffdk\ufffd\ufffd\ufffd\ufffdoZX[\ufffd\ufffd\ufffd\ucab4\ufffd\ufffd\ufffd\u01f8\ufffdM$\ufffd.\ufffd\ufffd \ufffdfz\ufffd\"\ufffd\ufffd(\ufffd\ufffdN\ufffd X\ufffd\ufffd4\u0272\ufffd\ufffd\ufffd\ufffd\u02af\/\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001ao)\ufffdk\ufffd\ufffd\ufffd\ufffdoZX[\ufffd\ufffd\ufffd\ucab4\ufffd\ufffd\ufffd\u01f8\ufffdM\u0016$\ufffd.\ufffd\ufffd \ufffdf\u000bz\ufffd\"\u0018\ufffd\ufffd(\ufffd\ufffdN\ufffd X\ufffd\ufffd4\u0272\ufffd\ufffd\ufffd\ufffd\u02af\/\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdo)\ufffdk\ufffd\ufffd\ufffd\ufffdoZX[\ufffd\ufffd\ufffd\ucab4\ufffd\ufffd\ufffd\u01f8\ufffdM$\ufffd.\ufffd\ufffd \ufffdfz\ufffd\"\ufffd\ufffd(\ufffd\ufffdN\ufffd X\ufffd\ufffd4\u0272\ufffd\ufffd\ufffd\ufffd\u02af\/\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:55 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
������������� �j-���R���=���<�D�!�qA#��Ů�Y ���s��D�,��C��ZB� ����]�B g��p$��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
���������������j-���R���=���<�D�!�qA#��Ů�Y ���s��D�,��C��ZB� ����]�B g��p$��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������� �j-���R���=���<�D�!�qA#��Ů�Y ���s��D�,��C��ZB� ����]�B g��p$��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �@�� ��|��QJ�,�H���MrO^v�3y���8
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.808399757228528,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "51a98bc1b0a4fc5d4165e5fcc98d2294",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001a\u000b\ufffdj-\ufffd\ufffd\u001eR\ufffd\u001e\ufffd=\ufffd\ufffd\ufffd<\u0002D\ufffd!\u001eqA#\ufffd\ufffd\u016e\ufffdY \ufffd\ufffd\ufffds\ufffd\u000eD\ufffd,\ufffd\ufffdC\ufffd\ufffdZB\ufffd\t\ufffd\ufffd\u001b\ufffd]\ufffdB g\ufffd\ufffdp$\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001a\u000b\ufffdj-\ufffd\ufffd\u001eR\ufffd\u001e\ufffd=\ufffd\ufffd\ufffd<\u0002D\ufffd!\u001eqA#\ufffd\ufffd\u016e\ufffdY \ufffd\ufffd\ufffds\ufffd\u000eD\ufffd,\ufffd\ufffdC\ufffd\ufffdZB\ufffd\t\ufffd\ufffd\u001b\ufffd]\ufffdB g\ufffd\ufffdp$\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd@\u0013\ufffd\u000b \ufffd\ufffd|\ufffd\ufffdQJ\ufffd,\ufffdH\ufffd\ufffd\ufffdMrO^v\ufffd3y\ufffd\u0000\ufffd8",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001a\u000b\ufffdj-\ufffd\ufffd\u001eR\ufffd\u001e\ufffd=\ufffd\ufffd\ufffd<\u0002D\ufffd!\u001eqA#\ufffd\ufffd\u016e\ufffdY \ufffd\ufffd\ufffds\ufffd\u000eD\ufffd,\ufffd\ufffdC\ufffd\ufffdZB\ufffd\t\ufffd\ufffd\u001b\ufffd]\ufffdB g\ufffd\ufffdp$\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bf250af78a73d3c58048212d365a62ca4e93cc9e",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001a\u000b\ufffdj-\ufffd\ufffd\u001eR\ufffd\u001e\ufffd=\ufffd\ufffd\ufffd<\u0002D\ufffd!\u001eqA#\ufffd\ufffd\u016e\ufffdY \ufffd\ufffd\ufffds\ufffd\u000eD\ufffd,\ufffd\ufffdC\ufffd\ufffdZB\ufffd\t\ufffd\ufffd\u001b\ufffd]\ufffdB g\ufffd\ufffdp$\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdj-\ufffd\ufffdR\ufffd\ufffd=\ufffd\ufffd\ufffd<D\ufffd!qA#\ufffd\ufffd\u016e\ufffdY \ufffd\ufffd\ufffds\ufffdD\ufffd,\ufffd\ufffdC\ufffd\ufffdZB\ufffd\t\ufffd\ufffd\ufffd]\ufffdB g\ufffd\ufffdp$\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001a\u000b\ufffdj-\ufffd\ufffd\u001eR\ufffd\u001e\ufffd=\ufffd\ufffd\ufffd<\u0002D\ufffd!\u001eqA#\ufffd\ufffd\u016e\ufffdY \ufffd\ufffd\ufffds\ufffd\u000eD\ufffd,\ufffd\ufffdC\ufffd\ufffdZB\ufffd\t\ufffd\ufffd\u001b\ufffd]\ufffdB g\ufffd\ufffdp$\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdj-\ufffd\ufffdR\ufffd\ufffd=\ufffd\ufffd\ufffd<D\ufffd!qA#\ufffd\ufffd\u016e\ufffdY \ufffd\ufffd\ufffds\ufffdD\ufffd,\ufffd\ufffdC\ufffd\ufffdZB\ufffd\t\ufffd\ufffd\ufffd]\ufffdB g\ufffd\ufffdp$\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:55 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
�������������P(婲�r{f0���_��4!�������HdIX ^H� Y��a$0�������P�]]�"�*~�FH��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������P(婲�r{f0���_��4!�������HdIX ^H�
Y��a$0�������P�]]�"�*~�FH��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������P(婲�r{f0���_��4!�������HdIX ^H� Y��a$0�������P�]]�"�*~�FH��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� 'Ή���N"���.10�Y�� �^ׯF.�L� �d
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.799640496174035,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "c04d535d20ce6138d540e512a43b1d91",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0016P(\u5a72\ufffdr{f0\u0002\ufffd\ufffd_\u0014\ufffd4!\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdHdIX ^H\u0004\rY\ufffd\ufffda$0\ufffd\u07b7\ufffd\u0011\ufffd\ufffd\u0004\ufffdP\ufffd]]\u0004\"\u001b*~\ufffdFH\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0016P(\u5a72\ufffdr{f0\u0002\ufffd\ufffd_\u0014\ufffd4!\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdHdIX ^H\u0004\rY\ufffd\ufffda$0\ufffd\u07b7\ufffd\u0011\ufffd\ufffd\u0004\ufffdP\ufffd]]\u0004\"\u001b*~\ufffdFH\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 '\u0389\ufffd\u001d\ufffdN\"\ufffd\u0017\ufffd.10\ufffdY\ufffd\ufffd\n\ufffd^\u05efF.\ufffdL\ufffd\f\ufffdd",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0016P(\u5a72\ufffdr{f0\u0002\ufffd\ufffd_\u0014\ufffd4!\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdHdIX ^H\u0004\rY\ufffd\ufffda$0\ufffd\u07b7\ufffd\u0011\ufffd\ufffd\u0004\ufffdP\ufffd]]\u0004\"\u001b*~\ufffdFH\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "597bf7d6fcb0386e1d932a35b44870b301240a5e",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0016P(\u5a72\ufffdr{f0\u0002\ufffd\ufffd_\u0014\ufffd4!\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdHdIX ^H\u0004\rY\ufffd\ufffda$0\ufffd\u07b7\ufffd\u0011\ufffd\ufffd\u0004\ufffdP\ufffd]]\u0004\"\u001b*~\ufffdFH\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffdP(\u5a72\ufffdr{f0\ufffd\ufffd_\ufffd4!\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdHdIX ^H\rY\ufffd\ufffda$0\ufffd\u07b7\ufffd\ufffd\ufffd\ufffdP\ufffd]]\"*~\ufffdFH\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0016P(\u5a72\ufffdr{f0\u0002\ufffd\ufffd_\u0014\ufffd4!\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdHdIX ^H\u0004\rY\ufffd\ufffda$0\ufffd\u07b7\ufffd\u0011\ufffd\ufffd\u0004\ufffdP\ufffd]]\u0004\"\u001b*~\ufffdFH\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffdP(\u5a72\ufffdr{f0\ufffd\ufffd_\ufffd4!\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdHdIX ^H\rY\ufffd\ufffda$0\ufffd\u07b7\ufffd\ufffd\ufffd\ufffdP\ufffd]]\"*~\ufffdFH\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:55 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
����������� �V��H��4��h��7��=��0�a��M���g ��:��4�fU���������%Q������Ge�t�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������
�V��H��4��h��7��=��0�a��M���g � ��:��4�fU���������%Q������Ge�t�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
����������� �V��H��4��h��7��=��0�a��M���g ��:��4�fU���������%Q������Ge�t�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �*o���,<Y�k[}D�����������(�K���
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.859319383945259,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "37532af30fb2775e3ce1eb4c631ff6b1",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\n\ufffdV\ufffd\ufffdH\ufffd\u00034\u0017\ufffdh\ufffd\ufffd7\ufffd\u0378\ufffd=\ufffd\ufffd0\ufffda\ufffd\u000fM\ufffd\ufffd\ufffdg \u000b\t\ufffd\ufffd:\ufffd\ufffd4\ufffdfU\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd%Q\ufffd\u001f\ufffd\ufffd\ufffd\ufffdGe\ufffdt\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\n\ufffdV\ufffd\ufffdH\ufffd\u00034\u0017\ufffdh\ufffd\ufffd7\ufffd\u0378\ufffd=\ufffd\ufffd0\ufffda\ufffd\u000fM\ufffd\ufffd\ufffdg \u000b\t\ufffd\ufffd:\ufffd\ufffd4\ufffdfU\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd%Q\ufffd\u001f\ufffd\ufffd\ufffd\ufffdGe\ufffdt\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd*o\ufffd\ufffd\u0015,<Y\ufffdk[}D\u0000\ufffd\u0018\u0018\ufffd\ufffd\ufffd\ufffd\ufffd\u0003\ufffd(\ufffdK\ufffd\u0003\b",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\n\ufffdV\ufffd\ufffdH\ufffd\u00034\u0017\ufffdh\ufffd\ufffd7\ufffd\u0378\ufffd=\ufffd\ufffd0\ufffda\ufffd\u000fM\ufffd\ufffd\ufffdg \u000b\t\ufffd\ufffd:\ufffd\ufffd4\ufffdfU\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd%Q\ufffd\u001f\ufffd\ufffd\ufffd\ufffdGe\ufffdt\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c2aad7354a53773b61ec1d599dbe8e5c3c459c79",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\n\ufffdV\ufffd\ufffdH\ufffd\u00034\u0017\ufffdh\ufffd\ufffd7\ufffd\u0378\ufffd=\ufffd\ufffd0\ufffda\ufffd\u000fM\ufffd\ufffd\ufffdg \u000b\t\ufffd\ufffd:\ufffd\ufffd4\ufffdfU\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd%Q\ufffd\u001f\ufffd\ufffd\ufffd\ufffdGe\ufffdt\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\n\ufffdV\ufffd\ufffdH\ufffd4\ufffdh\ufffd\ufffd7\ufffd\u0378\ufffd=\ufffd\ufffd0\ufffda\ufffdM\ufffd\ufffd\ufffdg \t\ufffd\ufffd:\ufffd\ufffd4\ufffdfU\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd%Q\ufffd\ufffd\ufffd\ufffd\ufffdGe\ufffdt&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\n\ufffdV\ufffd\ufffdH\ufffd\u00034\u0017\ufffdh\ufffd\ufffd7\ufffd\u0378\ufffd=\ufffd\ufffd0\ufffda\ufffd\u000fM\ufffd\ufffd\ufffdg \u000b\t\ufffd\ufffd:\ufffd\ufffd4\ufffdfU\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd%Q\ufffd\u001f\ufffd\ufffd\ufffd\ufffdGe\ufffdt\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\n\ufffdV\ufffd\ufffdH\ufffd4\ufffdh\ufffd\ufffd7\ufffd\u0378\ufffd=\ufffd\ufffd0\ufffda\ufffdM\ufffd\ufffd\ufffdg \t\ufffd\ufffd:\ufffd\ufffd4\ufffdfU\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd%Q\ufffd\ufffd\ufffd\ufffd\ufffdGe\ufffdt&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:55 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
�����������I�39���ݗ�����go�)sh����A��[e �jaX�f��R|�5�������f������9� ��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������I�39���ݗ�����go�)sh����A��[e �jaX�f��R|�5�������f������9� ��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������I�39���ݗ�����go�)sh����A��[e �jaX�f��R|�5�������f������9� ��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� 0J)�%.�İʴ2��� �Q���E@m���B�t�
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.8329071561990045,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "192dad21c3d5581e161d17e5e1b17bc6",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I\ufffd39\u000f\u0003\ufffd\u0757\ufffd\ufffd\u0015\ufffd\ufffdgo\ufffd)sh\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd[e \ufffdjaX\u0018f\ufffd\ufffdR|\ufffd5\u001a\u0000\ufffd\b\ufffd\ufffd\ufffdf\ufffd\u0016\ufffd\ufffd\ufffd\ufffd9\u0007\t\u001e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I\ufffd39\u000f\u0003\ufffd\u0757\ufffd\ufffd\u0015\ufffd\ufffdgo\ufffd)sh\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd[e \ufffdjaX\u0018f\ufffd\ufffdR|\ufffd5\u001a\u0000\ufffd\b\ufffd\ufffd\ufffdf\ufffd\u0016\ufffd\ufffd\ufffd\ufffd9\u0007\t\u001e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 0J)\ufffd%.\ufffd\u0130\u02b42\ufffd\ufffd\u0007\n\ufffdQ\ufffd\ufffd\u001fE@m\ufffd\ufffd\u0011B\ufffdt\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I\ufffd39\u000f\u0003\ufffd\u0757\ufffd\ufffd\u0015\ufffd\ufffdgo\ufffd)sh\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd[e \ufffdjaX\u0018f\ufffd\ufffdR|\ufffd5\u001a\u0000\ufffd\b\ufffd\ufffd\ufffdf\ufffd\u0016\ufffd\ufffd\ufffd\ufffd9\u0007\t\u001e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "fe5cb300aa34a038cbb603b93589798627f1bdb2",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I\ufffd39\u000f\u0003\ufffd\u0757\ufffd\ufffd\u0015\ufffd\ufffdgo\ufffd)sh\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd[e \ufffdjaX\u0018f\ufffd\ufffdR|\ufffd5\u001a\u0000\ufffd\b\ufffd\ufffd\ufffdf\ufffd\u0016\ufffd\ufffd\ufffd\ufffd9\u0007\t\u001e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdI\ufffd39\ufffd\u0757\ufffd\ufffd\ufffd\ufffdgo\ufffd)sh\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd[e \ufffdjaXf\ufffd\ufffdR|\ufffd5\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffd\ufffd\ufffd\ufffd9\t&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I\ufffd39\u000f\u0003\ufffd\u0757\ufffd\ufffd\u0015\ufffd\ufffdgo\ufffd)sh\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd[e \ufffdjaX\u0018f\ufffd\ufffdR|\ufffd5\u001a\u0000\ufffd\b\ufffd\ufffd\ufffdf\ufffd\u0016\ufffd\ufffd\ufffd\ufffd9\u0007\t\u001e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdI\ufffd39\ufffd\u0757\ufffd\ufffd\ufffd\ufffdgo\ufffd)sh\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd[e \ufffdjaXf\ufffd\ufffdR|\ufffd5\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffd\ufffd\ufffd\ufffd9\t&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:55 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
�����������\1�&"������L����X,m��og�S:������ �B��"dD:��L��@pr�T�(�2��mn �x����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������\1�&"������L����X,m��og�S:������ �B��"dD:��L��@pr�T�(�2��mn
�x����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������\1�&"������L����X,m��og�S:������ �B��"dD:��L��@pr�T�(�2��mn �x����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �����u GH�gb������&�(�$�7���
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.800831289077221,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "8a49744cf1954534659892184d28608b",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\\1\u0012&\"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdL\u0014\ufffd\u0000\ufffdX,m\ufffd\ufffdog\ufffdS:\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffdB\ufffd\ufffd\"dD:\u0016\ufffdL\ufffd\ufffd@pr\u0001T\ufffd(\u00152\ufffd\u000fmn\n\ufffdx\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\\1\u0012&\"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdL\u0014\ufffd\u0000\ufffdX,m\ufffd\ufffdog\ufffdS:\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffdB\ufffd\ufffd\"dD:\u0016\ufffdL\ufffd\ufffd@pr\u0001T\ufffd(\u00152\ufffd\u000fmn\n\ufffdx\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\ufffd\ufffdu GH\ufffdgb\ufffd\u0005\ufffd\ufffd\b\ufffd&\ufffd(\ufffd$\u0091\u00177\ufffd\ufffd\u0006",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\\1\u0012&\"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdL\u0014\ufffd\u0000\ufffdX,m\ufffd\ufffdog\ufffdS:\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffdB\ufffd\ufffd\"dD:\u0016\ufffdL\ufffd\ufffd@pr\u0001T\ufffd(\u00152\ufffd\u000fmn\n\ufffdx\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ba8c24f2f3cabc3067d517452aa19e28fb627d64",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\\1\u0012&\"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdL\u0014\ufffd\u0000\ufffdX,m\ufffd\ufffdog\ufffdS:\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffdB\ufffd\ufffd\"dD:\u0016\ufffdL\ufffd\ufffd@pr\u0001T\ufffd(\u00152\ufffd\u000fmn\n\ufffdx\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\\1&\"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdL\ufffd\ufffdX,m\ufffd\ufffdog\ufffdS:\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffdB\ufffd\ufffd\"dD:\ufffdL\ufffd\ufffd@prT\ufffd(2\ufffdmn\n\ufffdx\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\\1\u0012&\"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdL\u0014\ufffd\u0000\ufffdX,m\ufffd\ufffdog\ufffdS:\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffdB\ufffd\ufffd\"dD:\u0016\ufffdL\ufffd\ufffd@pr\u0001T\ufffd(\u00152\ufffd\u000fmn\n\ufffdx\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\\1&\"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdL\ufffd\ufffdX,m\ufffd\ufffdog\ufffdS:\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffdB\ufffd\ufffd\"dD:\ufffdL\ufffd\ufffd@prT\ufffd(2\ufffdmn\n\ufffdx\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:55 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
�������������(v��&y�������4]��+���{�9�cl �����S��d�����/D���}m��.g�q�#ܽ%�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������(v��&y�������4]��+���{�9�cl� �����S��d�����/D���}m��.g�q�#ܽ%�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������(v��&y�������4]��+���{�9�cl �����S��d�����/D���}m��.g�q�#ܽ%�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��*à>����X��*%�"�n������%�"�LO
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.8306562906936215,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "9b82b6e63cbca371f9410d79f71b1b32",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd(v\ufffd\ufffd&y\ufffd\u0012\ufffd\ufffd\u001d\u0000\u00184\u0098]\u0002\ufffd+\ufffd\ufffd\ufffd{\ufffd9\ufffdcl\u000b \ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffdd\ufffd\ufffd\ufffd\u0019\ufffd\/D\u0018\ufffd\ufffd}m\ufffd\ufffd.g\ufffdq\ufffd#\u073d%\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd(v\ufffd\ufffd&y\ufffd\u0012\ufffd\ufffd\u001d\u0000\u00184\u0098]\u0002\ufffd+\ufffd\ufffd\ufffd{\ufffd9\ufffdcl\u000b \ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffdd\ufffd\ufffd\ufffd\u0019\ufffd\/D\u0018\ufffd\ufffd}m\ufffd\ufffd.g\ufffdq\ufffd#\u073d%\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0001*\u00e0>\u001b\u001f\ufffd\u0007X\ufffd\b*%\ufffd\"\u0001n\b\ufffd\ufffd\u001a\ufffd\u000e%\u0002\"\ufffdLO",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd(v\ufffd\ufffd&y\ufffd\u0012\ufffd\ufffd\u001d\u0000\u00184\u0098]\u0002\ufffd+\ufffd\ufffd\ufffd{\ufffd9\ufffdcl\u000b \ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffdd\ufffd\ufffd\ufffd\u0019\ufffd\/D\u0018\ufffd\ufffd}m\ufffd\ufffd.g\ufffdq\ufffd#\u073d%\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b5a872ea41d683b5791f20eaa441cb5927254ad2",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd(v\ufffd\ufffd&y\ufffd\u0012\ufffd\ufffd\u001d\u0000\u00184\u0098]\u0002\ufffd+\ufffd\ufffd\ufffd{\ufffd9\ufffdcl\u000b \ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffdd\ufffd\ufffd\ufffd\u0019\ufffd\/D\u0018\ufffd\ufffd}m\ufffd\ufffd.g\ufffdq\ufffd#\u073d%\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd(v\ufffd\ufffd&y\ufffd\ufffd\ufffd4\u0098]\ufffd+\ufffd\ufffd\ufffd{\ufffd9\ufffdcl \ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\/D\ufffd\ufffd}m\ufffd\ufffd.g\ufffdq\ufffd#\u073d%&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd(v\ufffd\ufffd&y\ufffd\u0012\ufffd\ufffd\u001d\u0000\u00184\u0098]\u0002\ufffd+\ufffd\ufffd\ufffd{\ufffd9\ufffdcl\u000b \ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffdd\ufffd\ufffd\ufffd\u0019\ufffd\/D\u0018\ufffd\ufffd}m\ufffd\ufffd.g\ufffdq\ufffd#\u073d%\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd(v\ufffd\ufffd&y\ufffd\ufffd\ufffd4\u0098]\ufffd+\ufffd\ufffd\ufffd{\ufffd9\ufffdcl \ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\/D\ufffd\ufffd}m\ufffd\ufffd.g\ufffdq\ufffd#\u073d%&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:55 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
�������������o�+0���£�7�����܀����Q؏>�$p� ���ß'�PF�`4^��2H�����w�w��\|���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������o�+0���£�7�����܀����Q؏>�$p� ���ß'�PF�`4^��2H�����w�w��\|���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������o�+0���£�7�����܀����Q؏>�$p� ���ß'�PF�`4^��2H�����w�w��\|���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� [<�F\��i��܍Ɗ���B)꽱�;fL��2��1
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.8649260124767615,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "3905cb1786554941814c77d99d8611c4",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdo\ufffd+0\ufffd\ufffd\ufffd\u00a3\u00177\ufffd\ufffd\ufffd\ufffd\u001a\u0700\ufffd\ufffd\ufffd\ufffdQ\u060f>\ufffd$p\ufffd \ufffd\ufffd\ufffd\u00df'\ufffdPF\ufffd`4^\ufffd\u00022H\ufffd\ufffd\u001e\ufffd\u0013w\ufffdw\ufffd\ufffd\\|\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdo\ufffd+0\ufffd\ufffd\ufffd\u00a3\u00177\ufffd\ufffd\ufffd\ufffd\u001a\u0700\ufffd\ufffd\ufffd\ufffdQ\u060f>\ufffd$p\ufffd \ufffd\ufffd\ufffd\u00df'\ufffdPF\ufffd`4^\ufffd\u00022H\ufffd\ufffd\u001e\ufffd\u0013w\ufffdw\ufffd\ufffd\\|\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 [<\ufffdF\\\u000e\ufffdi\ufffd\ufffd\u070d\u018a\ufffd\ufffd\ufffdB)\uaf71\u0000;fL\ufffd\ufffd2\ufffd\u00171",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdo\ufffd+0\ufffd\ufffd\ufffd\u00a3\u00177\ufffd\ufffd\ufffd\ufffd\u001a\u0700\ufffd\ufffd\ufffd\ufffdQ\u060f>\ufffd$p\ufffd \ufffd\ufffd\ufffd\u00df'\ufffdPF\ufffd`4^\ufffd\u00022H\ufffd\ufffd\u001e\ufffd\u0013w\ufffdw\ufffd\ufffd\\|\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f09a3337ee01d79331951c81f96244c6bbeac103",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdo\ufffd+0\ufffd\ufffd\ufffd\u00a3\u00177\ufffd\ufffd\ufffd\ufffd\u001a\u0700\ufffd\ufffd\ufffd\ufffdQ\u060f>\ufffd$p\ufffd \ufffd\ufffd\ufffd\u00df'\ufffdPF\ufffd`4^\ufffd\u00022H\ufffd\ufffd\u001e\ufffd\u0013w\ufffdw\ufffd\ufffd\\|\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdo\ufffd+0\ufffd\ufffd\ufffd\u00a37\ufffd\ufffd\ufffd\ufffd\u0700\ufffd\ufffd\ufffd\ufffdQ\u060f>\ufffd$p\ufffd \ufffd\ufffd\ufffd\u00df'\ufffdPF\ufffd`4^\ufffd2H\ufffd\ufffd\ufffdw\ufffdw\ufffd\ufffd\\|\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdo\ufffd+0\ufffd\ufffd\ufffd\u00a3\u00177\ufffd\ufffd\ufffd\ufffd\u001a\u0700\ufffd\ufffd\ufffd\ufffdQ\u060f>\ufffd$p\ufffd \ufffd\ufffd\ufffd\u00df'\ufffdPF\ufffd`4^\ufffd\u00022H\ufffd\ufffd\u001e\ufffd\u0013w\ufffdw\ufffd\ufffd\\|\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdo\ufffd+0\ufffd\ufffd\ufffd\u00a37\ufffd\ufffd\ufffd\ufffd\u0700\ufffd\ufffd\ufffd\ufffdQ\u060f>\ufffd$p\ufffd \ufffd\ufffd\ufffd\u00df'\ufffdPF\ufffd`4^\ufffd2H\ufffd\ufffd\ufffdw\ufffdw\ufffd\ufffd\\|\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:55 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
�����������i봾l�= �$K� #�d�x+�)�\��ZpZ�l�� ��w�eV�{� Ԙ>+��_�5�ߑ`�d�duX�� �&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������i봾l�=��$K�
#�d�x+�)�\��ZpZ�l�� ��w�eV�{�
Ԙ>+��_�5�ߑ`�d�duX����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������i봾l�= �$K� #�d�x+�)�\��ZpZ�l�� ��w�eV�{� Ԙ>+��_�5�ߑ`�d�duX�� �&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �=(�*i�0�cL�3�`2C[Ez�ԡ ��`E�7�1
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.8010519262340186,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "d680dfa4c8fb83854a4baeed7f6c34d0",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ubd3el\ufffd=\u000b\ufffd$K\ufffd\n#\ufffdd\ufffdx+\ufffd)\ufffd\\\u001a\ufffdZpZ\u0003l\ufffd\ufffd \u0010\ufffdw\ufffdeV\ufffd{\ufffd\r\u0518>+\ufffd\u0004_\ufffd5\u0011\u07d1`\ufffdd\ufffdduX\ufffd\ufffd\u000b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ubd3el\ufffd=\u000b\ufffd$K\ufffd\n#\ufffdd\ufffdx+\ufffd)\ufffd\\\u001a\ufffdZpZ\u0003l\ufffd\ufffd \u0010\ufffdw\ufffdeV\ufffd{\ufffd\r\u0518>+\ufffd\u0004_\ufffd5\u0011\u07d1`\ufffdd\ufffdduX\ufffd\ufffd\u000b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd=(\ufffd*i\ufffd0\ufffdcL\ufffd3\ufffd`2C[Ez\ufffd\u0521\n\u0005\u0018`E\u001b7\ufffd1",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ubd3el\ufffd=\u000b\ufffd$K\ufffd\n#\ufffdd\ufffdx+\ufffd)\ufffd\\\u001a\ufffdZpZ\u0003l\ufffd\ufffd \u0010\ufffdw\ufffdeV\ufffd{\ufffd\r\u0518>+\ufffd\u0004_\ufffd5\u0011\u07d1`\ufffdd\ufffdduX\ufffd\ufffd\u000b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "fb9b8c986d13707f57713a545cde637952016e16",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ubd3el\ufffd=\u000b\ufffd$K\ufffd\n#\ufffdd\ufffdx+\ufffd)\ufffd\\\u001a\ufffdZpZ\u0003l\ufffd\ufffd \u0010\ufffdw\ufffdeV\ufffd{\ufffd\r\u0518>+\ufffd\u0004_\ufffd5\u0011\u07d1`\ufffdd\ufffdduX\ufffd\ufffd\u000b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdi\ubd3el\ufffd=\ufffd$K\ufffd\n#\ufffdd\ufffdx+\ufffd)\ufffd\\\ufffdZpZl\ufffd\ufffd \ufffdw\ufffdeV\ufffd{\ufffd\r\u0518>+\ufffd_\ufffd5\u07d1`\ufffdd\ufffdduX\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ubd3el\ufffd=\u000b\ufffd$K\ufffd\n#\ufffdd\ufffdx+\ufffd)\ufffd\\\u001a\ufffdZpZ\u0003l\ufffd\ufffd \u0010\ufffdw\ufffdeV\ufffd{\ufffd\r\u0518>+\ufffd\u0004_\ufffd5\u0011\u07d1`\ufffdd\ufffdduX\ufffd\ufffd\u000b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdi\ubd3el\ufffd=\ufffd$K\ufffd\n#\ufffdd\ufffdx+\ufffd)\ufffd\\\ufffdZpZl\ufffd\ufffd \ufffdw\ufffdeV\ufffd{\ufffd\r\u0518>+\ufffd_\ufffd5\u07d1`\ufffdd\ufffdduX\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:55 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
�����������,�Tg�wV �-��#WAr������p{V�E;{)� �*`J�O��-o��8����p� �f�H��fp���@�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������,�Tg�wV �-��#WAr������p{V�E;{)� �*`J�O��-o��8����p�
�f�H��fp���@�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������,�Tg�wV �-��#WAr������p{V�E;{)� �*`J�O��-o��8����p� �f�H��fp���@�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� *��WIR��'5<�-g�{k��2��jS�j^�P�@
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.818699728650785,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "1d8a6aa668dfa7b034da49228dce9b8a",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003,\ufffdTg\ufffdwV \ufffd-\ufffd\ufffd#WAr\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdp{V\ufffdE;{)\ufffd \ufffd*`J\ufffdO\ufffd\ufffd-o\ufffd\ufffd8\ufffd\ufffd\u0013\ufffdp\ufffd\r\ufffdf\u001fH\ufffd\ufffdfp\ufffd\ufffd\ufffd@\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003,\ufffdTg\ufffdwV \ufffd-\ufffd\ufffd#WAr\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdp{V\ufffdE;{)\ufffd \ufffd*`J\ufffdO\ufffd\ufffd-o\ufffd\ufffd8\ufffd\ufffd\u0013\ufffdp\ufffd\r\ufffdf\u001fH\ufffd\ufffdfp\ufffd\ufffd\ufffd@\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 *\ufffd\ufffdWIR\ufffd\ufffd'5<\ufffd-g\ufffd{k\ufffd\ufffd2\ufffd\ufffdjS\ufffdj^\ufffdP\u0006@",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003,\ufffdTg\ufffdwV \ufffd-\ufffd\ufffd#WAr\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdp{V\ufffdE;{)\ufffd \ufffd*`J\ufffdO\ufffd\ufffd-o\ufffd\ufffd8\ufffd\ufffd\u0013\ufffdp\ufffd\r\ufffdf\u001fH\ufffd\ufffdfp\ufffd\ufffd\ufffd@\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3bbc3638a5a0d275058b76ef2faff8f823b59251",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003,\ufffdTg\ufffdwV \ufffd-\ufffd\ufffd#WAr\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdp{V\ufffdE;{)\ufffd \ufffd*`J\ufffdO\ufffd\ufffd-o\ufffd\ufffd8\ufffd\ufffd\u0013\ufffdp\ufffd\r\ufffdf\u001fH\ufffd\ufffdfp\ufffd\ufffd\ufffd@\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd,\ufffdTg\ufffdwV \ufffd-\ufffd\ufffd#WAr\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdp{V\ufffdE;{)\ufffd \ufffd*`J\ufffdO\ufffd\ufffd-o\ufffd\ufffd8\ufffd\ufffd\ufffdp\ufffd\r\ufffdfH\ufffd\ufffdfp\ufffd\ufffd\ufffd@&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003,\ufffdTg\ufffdwV \ufffd-\ufffd\ufffd#WAr\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdp{V\ufffdE;{)\ufffd \ufffd*`J\ufffdO\ufffd\ufffd-o\ufffd\ufffd8\ufffd\ufffd\u0013\ufffdp\ufffd\r\ufffdf\u001fH\ufffd\ufffdfp\ufffd\ufffd\ufffd@\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd,\ufffdTg\ufffdwV \ufffd-\ufffd\ufffd#WAr\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdp{V\ufffdE;{)\ufffd \ufffd*`J\ufffdO\ufffd\ufffd-o\ufffd\ufffd8\ufffd\ufffd\ufffdp\ufffd\r\ufffdfH\ufffd\ufffdfp\ufffd\ufffd\ufffd@&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 21:19:55 UTC
TCP
8190 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8190 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
�����������GzR)�x�����@�����~���2^�����C��w :4�ƚ7��i�̆����}�W��nZ�3y��ٝ@��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������GzR)�x�����@�����~���2^�����C��w :4�ƚ7��i�̆����}�W��nZ�3y��ٝ@��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������GzR)�x�����@�����~���2^�����C��w :4�ƚ7��i�̆����}�W��nZ�3y��ٝ@��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� T��K��wK�V7��GOo7Ջ������c�6|���
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.867754765187396,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c8f4129bea7d0cca2be554f493860ae014357f08",
"event_fingerprint": "9bd4513c6511161ddcfc183cee778be05ee0e13d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "2c42816464c091b8b5933cdababc9b6d",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003GzR)\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\ufffd2^\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffdw :4\ufffd\u019a7\ufffd\ufffdi\ufffd\u0306\ufffd\ufffd\ufffd\u0002}\ufffdW\ufffd\ufffdnZ\ufffd3y\ufffd\ufffd\u065d@\u0015\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003GzR)\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\ufffd2^\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffdw :4\ufffd\u019a7\ufffd\ufffdi\ufffd\u0306\ufffd\ufffd\ufffd\u0002}\ufffdW\ufffd\ufffdnZ\ufffd3y\ufffd\ufffd\u065d@\u0015\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 T\ufffd\ufffdK\ufffd\u0010wK\ufffdV7\ufffd\ufffdGOo7\u054b\u0003\ufffd\ufffd\ufffd\u0019\ufffdc\ufffd6|\u000e\u000f\u0007",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003GzR)\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\ufffd2^\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffdw :4\ufffd\u019a7\ufffd\ufffdi\ufffd\u0306\ufffd\ufffd\ufffd\u0002}\ufffdW\ufffd\ufffdnZ\ufffd3y\ufffd\ufffd\u065d@\u0015\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "44a8db77c364a42672f4250e249f788c574f3876",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003GzR)\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\ufffd2^\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffdw :4\ufffd\u019a7\ufffd\ufffdi\ufffd\u0306\ufffd\ufffd\ufffd\u0002}\ufffdW\ufffd\ufffdnZ\ufffd3y\ufffd\ufffd\u065d@\u0015\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdGzR)\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\ufffd2^\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffdw :4\ufffd\u019a7\ufffd\ufffdi\ufffd\u0306\ufffd\ufffd\ufffd}\ufffdW\ufffd\ufffdnZ\ufffd3y\ufffd\ufffd\u065d@&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003GzR)\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\ufffd2^\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffdw :4\ufffd\u019a7\ufffd\ufffdi\ufffd\u0306\ufffd\ufffd\ufffd\u0002}\ufffdW\ufffd\ufffdnZ\ufffd3y\ufffd\ufffd\u065d@\u0015\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8190 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdGzR)\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\ufffd2^\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffdw :4\ufffd\u019a7\ufffd\ufffdi\ufffd\u0306\ufffd\ufffd\ufffd}\ufffdW\ufffd\ufffdnZ\ufffd3y\ufffd\ufffd\u065d@&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}