|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_banner_grab
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Pourquoi cette classification : Bannière client SSH reçue · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "9a7126521109c1987b3394ab50203f58d5e0666d",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "481e7c9d48f087e9179390f97c4362a8599a741d",
"protocol_details": {
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_banner_grab",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 25,
"ssh_auth_burst_rate": 1.92
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
@RSYTCD: 29
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
@RSYTCD: 29
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 12,
"payload_entropy": 3.584962500721156,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b2993d6e4414a846683a71de5eb18653",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "@RSYTCD: 29\n",
"request_sample": "@RSYTCD: 29\n",
"payload_snippet": "@RSYTCD: 29",
"evidence": {
"request_sample": "@RSYTCD: 29\n",
"payload_snippet": "@RSYTCD: 29",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "688ac31b5cccb45d898542916e35709bba611706",
"protocol_details": {
"payload_preview": "@RSYTCD: 29",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "@RSYTCD: 29",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "@RSYTCD: 29",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "@RSYTCD: 29",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 40,
"ssh_auth_burst_rate": 3.07,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
���������<�,�������������:������������������������������(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Oracle TNS connect
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������<�,�������������:������������������������������(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123
Requête brute (extrait)
��������<�,�������������:������������������������������(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=22)))
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 238,
"payload_entropy": 5.113383338217833,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0520",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Oracle TNS connect",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0520",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "3ec3472553fccfc5460ce0aa0edb3bd2",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"request_sample": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=22)))",
"payload_snippet": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"evidence": {
"request_sample": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=22)))",
"payload_snippet": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1246a073ff78ce2d8c3496f0df527f87975caadd",
"protocol_details": {
"payload_preview": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "\ufffd<,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd<,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 41,
"ssh_auth_burst_rate": 3.15
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
postgres_startup
postgresql_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
���T����user�postgres�database�postgres�application_name�psql�client_encoding�UTF8��
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 5 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
MSSQL TDS prelogin
ET H.323 setup
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
T����user�postgres�database�postgres�application_name�psql�client_encoding�UTF8
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 84,
"payload_entropy": 4.139167728978457,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 10,
"risk_boost": 0,
"risk_granularity": 5.3,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 10
},
"risk_score": 48,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "2d36879333240626a18617a50ed2c7dee2f54393",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0348",
"pat-0356",
"pat-0868",
"pat-0554"
],
"matched_pattern_names": [
"RDP TPKT header",
"MSSQL TDS prelogin",
"ET H.323 setup",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0348",
"pat-0356",
"pat-0868",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 10,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "94e606a42613d0ef095b8001a98bf6ed",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"request_sample": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"payload_snippet": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"evidence": {
"request_sample": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"payload_snippet": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dff62050a720ccbe26a1a7aa16a0f946ee4180be",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 10,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"postgres_startup",
"postgresql_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 42,
"ssh_auth_burst_rate": 3.23
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
OPTIONS rtsp://example.com RTSP/1.0 Cseq: 8830
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
RTSP protocol
HTTP OPTIONS method
User-Agent
—
Règles WAF
—
Payload (extrait)
OPTIONS rtsp://example.com RTSP/1.0
Cseq: 8830
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 51,
"payload_entropy": 4.774887351563313,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0103",
"pat-0382",
"pat-0420"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"RTSP protocol",
"HTTP OPTIONS method"
],
"pattern_ids": [
"pat-0103",
"pat-0382",
"pat-0420"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "cf7f9a111f4b869f284e874d67be1f5e",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 8830\r\n\r\n",
"request_sample": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 8830\r\n\r\n",
"payload_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 8830",
"evidence": {
"request_sample": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 8830\r\n\r\n",
"payload_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 8830",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c3bd6976fe6d81871bd23d31b29af971a6d6442f",
"protocol_details": {
"payload_preview": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 8830",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 8830",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 8830",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 8830",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 43,
"ssh_auth_burst_rate": 3.31
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
mongodb_probe
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
���(r������������������|��������������������
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
NFS RPC mount
Mumble ping
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
���(r������������������|
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 44,
"payload_entropy": 1.9235205817738175,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "d23b5ed00a4e814f350523d032a1394122d39cb7",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0532",
"pat-0768",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"NFS RPC mount",
"Mumble ping",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0532",
"pat-0768",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2a177602bee0d039f41fbd6da5240e04",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"request_sample": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e876fa09a770fdbdbcbee593cc5e2e22f1136a9e",
"protocol_details": {
"payload_preview": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "\ufffd(r\ufffd\ufffd\ufffd\ufffd|",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd(r\ufffd\ufffd\ufffd\ufffd|",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_probe",
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 26,
"ssh_auth_burst_rate": 2.16
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
���f�SMB@�����������������������������������������������������������$������������333333333333337����������
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
f�SMB@�����������������������������������������������������������$������������333333333333337����������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 106,
"payload_entropy": 1.562219115128654,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c410cf23b3d85ec98026baf9f8231d24",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"request_sample": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"payload_snippet": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"evidence": {
"request_sample": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"payload_snippet": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d422539d9eae3410f418d7d4e23510bf8e6c8e72",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "f\ufffdSMB@$333333333333337",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "f\ufffdSMB@$333333333333337",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 27,
"ssh_auth_burst_rate": 2.25
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
r>����������
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
r>����������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 12,
"payload_entropy": 2.125814583693911,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "e9fd5030e26d1c231036f4ff830a90da",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "r>\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"request_sample": "r>\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"payload_snippet": "r>\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"evidence": {
"request_sample": "r>\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"payload_snippet": "r>\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0eccae8d7e2e4f67d3404bcef7b017055f007a2f",
"protocol_details": {
"payload_preview": "r>\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "r>",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "r>\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "r>",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 28,
"ssh_auth_burst_rate": 2.33
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
*1 $4 PING
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Redis PING RESP
User-Agent
—
Règles WAF
—
Payload (extrait)
*1
$4
PING
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 14,
"payload_entropy": 3.128085278891395,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0414"
],
"matched_pattern_names": [
"Redis PING RESP"
],
"pattern_ids": [
"pat-0414"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a43cb6a3b9d261112714d00e36b33106",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "*1\r\n$4\r\nPING\r\n",
"request_sample": "*1\r\n$4\r\nPING\r\n",
"payload_snippet": "*1\r\n$4\r\nPING",
"evidence": {
"request_sample": "*1\r\n$4\r\nPING\r\n",
"payload_snippet": "*1\r\n$4\r\nPING",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d4d2aa8f4088fee9ca985dd7ecfcc5b9fc3cffa8",
"protocol_details": {
"payload_preview": "*1\r\n$4\r\nPING",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "*1\r\n$4\r\nPING",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "*1\r\n$4\r\nPING",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "*1\r\n$4\r\nPING",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 29,
"ssh_auth_burst_rate": 2.41
}
|
|
|
TCP |
22 · SSH
|
ssh
|
mqtt probe
mqtt probe · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 49
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
mqtt_connect
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
����MQTT���<��AAAAA
Pourquoi cette classification : Rafale d'authentification SSH · confiance 97%
Confiance classification
97%
Risque capteur
Moyen
· 49
Confiance : Confiance 97 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0373
pat-0615
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
MQTT protocol
MQTT alt CONNECT
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
����MQTT���<��AAAAA
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 19,
"payload_entropy": 3.281373409411991,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 54,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 49,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "b1802f6f71a11621266cff4649898a3490ca5795",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%",
"confidence": 0.97,
"classification_confidence": 0.97,
"precision_score": 110,
"precision_signals": [
"pat-0373",
"pat-0615"
],
"kb_rule_ids": [
"pat-0373",
"pat-0615"
],
"matched_patterns": [
"pat-0373",
"pat-0615",
"pat-0554"
],
"matched_pattern_names": [
"MQTT protocol",
"MQTT alt CONNECT",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0373",
"pat-0615",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 49
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 97,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "146feb4208f989935534a353df60ec62",
"path_pattern_hash": "4449b927317468afa12a2f935a413459"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 49
},
"payload_preview": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"request_sample": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"payload_snippet": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"evidence": {
"request_sample": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"payload_snippet": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b037cb5b32edc22d86c89afe5cb4c84b5d698274",
"protocol_details": {
"payload_preview": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "MQTT<AAAAA",
"attack_vector": "mqtt probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 97%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100",
"confidence_pct": 97,
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 49
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 49,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"pat-0373",
"pat-0615"
],
"tags_summary_labels_fr": [
"pat-0373",
"pat-0615"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "mqtt probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "MQTT<AAAAA",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 97 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mqtt_connect",
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 30,
"ssh_auth_burst_rate": 2.5
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
JDWP-Handshake
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
JDWP-Handshake
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 14,
"payload_entropy": 3.6644977792004623,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d7cf99dd7541d7bd514fc0d9a1b2d531",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "JDWP-Handshake",
"request_sample": "JDWP-Handshake",
"payload_snippet": "JDWP-Handshake",
"evidence": {
"request_sample": "JDWP-Handshake",
"payload_snippet": "JDWP-Handshake",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "edab5da1d572e96dec38495ef77723da65c2edc8",
"protocol_details": {
"payload_preview": "JDWP-Handshake",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "JDWP-Handshake",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "JDWP-Handshake",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "JDWP-Handshake",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 32,
"ssh_auth_burst_rate": 2.66
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
JRMI��K
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Java RMI JRMI
User-Agent
—
Règles WAF
—
Payload (extrait)
JRMI��K
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 7,
"payload_entropy": 2.807354922057604,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0604"
],
"matched_pattern_names": [
"Java RMI JRMI"
],
"pattern_ids": [
"pat-0604"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d8c49a0f759e2102fb8fa8368049d06a",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "JRMI\u0000\u0002K",
"request_sample": "JRMI\u0000\u0002K",
"payload_snippet": "JRMI\u0000\u0002K",
"evidence": {
"request_sample": "JRMI\u0000\u0002K",
"payload_snippet": "JRMI\u0000\u0002K",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "25c057bdc097d97004a01c34d3bb59bfa4a90986",
"protocol_details": {
"payload_preview": "JRMI\u0000\u0002K",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "JRMIK",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "JRMI\u0000\u0002K",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "JRMIK",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 38,
"ssh_auth_burst_rate": 3.16
}
|
|
|
TCP |
22 · SSH
|
ssh
|
mqtt probe
mqtt probe · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 49
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
mqtt_connect
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
����MQTT���<���AAAAA
Pourquoi cette classification : Rafale d'authentification SSH · confiance 97%
Confiance classification
97%
Risque capteur
Moyen
· 49
Confiance : Confiance 97 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0373
pat-0615
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
MQTT protocol
MQTT alt CONNECT
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
����MQTT���<���AAAAA
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 20,
"payload_entropy": 3.1414460711655217,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 54,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 49,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "b1802f6f71a11621266cff4649898a3490ca5795",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%",
"confidence": 0.97,
"classification_confidence": 0.97,
"precision_score": 110,
"precision_signals": [
"pat-0373",
"pat-0615"
],
"kb_rule_ids": [
"pat-0373",
"pat-0615"
],
"matched_patterns": [
"pat-0373",
"pat-0615",
"pat-0554"
],
"matched_pattern_names": [
"MQTT protocol",
"MQTT alt CONNECT",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0373",
"pat-0615",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 49
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 97,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "8cbaa0e25147458ba5f5f0e8603c4f19",
"path_pattern_hash": "4449b927317468afa12a2f935a413459"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 49
},
"payload_preview": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"request_sample": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"payload_snippet": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"evidence": {
"request_sample": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"payload_snippet": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "091bb425d2449cc5524179b89f1cfac2157d0511",
"protocol_details": {
"payload_preview": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "MQTT<AAAAA",
"attack_vector": "mqtt probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 97%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100",
"confidence_pct": 97,
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 49
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 49,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"pat-0373",
"pat-0615"
],
"tags_summary_labels_fr": [
"pat-0373",
"pat-0615"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "mqtt probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "MQTT<AAAAA",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 97 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mqtt_connect",
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 39,
"ssh_auth_burst_rate": 3.25
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
���C�����3���consumer-Offset Explorer 2.2-18��apache-kafka-java�2.4.0�
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Kafka ApiVersions key
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
C�����3���consumer-Offset Explorer 2.2-18��apache-kafka-java�2.4.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 71,
"payload_entropy": 4.83906190787142,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0556",
"pat-0554"
],
"matched_pattern_names": [
"Kafka ApiVersions key",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0556",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d9bcc621186ef441cc445f2b3dbd5f10",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"request_sample": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"payload_snippet": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"evidence": {
"request_sample": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"payload_snippet": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9a321f0f92229c154128e8e36ccded2ae3db9c21",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "C3\ufffdconsumer-Offset Explorer 2.2-18apache-kafka-java2.4.0",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "C3\ufffdconsumer-Offset Explorer 2.2-18apache-kafka-java2.4.0",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 19,
"ssh_auth_burst_rate": 1.46
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
postgres_startup
postgresql_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
���#�����3�� adminclient-5������OmjXoi
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 5 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
ET H.323 setup
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
#�����3��
adminclient-5������OmjXoi
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 39,
"payload_entropy": 4.085180800729588,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 10,
"risk_boost": 0,
"risk_granularity": 5.3,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 10
},
"risk_score": 48,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "2d36879333240626a18617a50ed2c7dee2f54393",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"ET H.323 setup",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 10,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2cdc1c85ed90a71a47d0101ae55ce264",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006OmjXoi",
"request_sample": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006OmjXoi",
"payload_snippet": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006OmjXoi",
"evidence": {
"request_sample": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006OmjXoi",
"payload_snippet": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006OmjXoi",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0e084588a1fba4d3d51905ae0ccd2b323edba11b",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006OmjXoi",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "#3\ufffd\radminclient-5OmjXoi",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 10,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006OmjXoi",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "#3\ufffd\radminclient-5OmjXoi",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"postgres_startup",
"postgresql_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 20,
"ssh_auth_burst_rate": 1.54
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Protocole TDS MSSQL
mssql tds · via SSH:22 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
mssql_tds
net_bruteforce
net_mssql_tds
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
���X�����������%����&����'����+����,�$�� ��������������\�k��٪<�K�{��\2!$���7�b9JF,�����
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Faible
· 35
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0519
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
MSSQL TDS prelogin
Mumble ping
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
���X�����������%����&����'����+����,�$�� ��������������\�k��٪<�K�{��\2!$���7�b9JF,�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 88,
"payload_entropy": 4.354527413223707,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 56,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 35,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "d12fee1305c771eccf9b4dc94584e2f37a781e8d",
"event_fingerprint": "e2fecb7fa672c436270a1a3ab197ed5a9894cbda",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 83,
"precision_signals": [
"pat-0519",
"INT-upstream"
],
"kb_rule_ids": [
"pat-0519",
"INT-upstream"
],
"matched_patterns": [
"pat-0519",
"pat-0768",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"MSSQL TDS prelogin",
"Mumble ping",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0519",
"pat-0768",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0efe38694fbb4cc2af819186b5e9ae9e",
"path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 35
},
"payload_preview": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"request_sample": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "786b729d8b2076c38ec8c0ed0719c0dd6803f8ba",
"protocol_details": {
"payload_preview": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "X%&'+,$\ufffd\t\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u066a<K\ufffd{\ufffd\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd",
"attack_vector": "mssql tds \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"pat-0519",
"INT-upstream"
],
"tags_summary_labels_fr": [
"pat-0519",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "mssql tds \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "X%&'+,$\ufffd\t\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u066a<K\ufffd{\ufffd\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mssql_tds",
"net_bruteforce",
"net_mssql_tds",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 14,
"ssh_auth_burst_rate": 1.08
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
0:��f���`2�����cn=qiksnrhfyegsacbprmcn��qiksnrhfyegsacbprmcn
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
0:��f���`2�����cn=qiksnrhfyegsacbprmcn��qiksnrhfyegsacbprmcn
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 60,
"payload_entropy": 4.707321121424567,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c59a677b2073867969ee46536f796999",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "0:\u0002\u0004f\ufffd\u0003\u000f`2\u0002\u0001\u0003\u0004\u0017cn=qiksnrhfyegsacbprmcn\ufffd\u0014qiksnrhfyegsacbprmcn",
"request_sample": "0:\u0002\u0004f\ufffd\u0003\u000f`2\u0002\u0001\u0003\u0004\u0017cn=qiksnrhfyegsacbprmcn\ufffd\u0014qiksnrhfyegsacbprmcn",
"payload_snippet": "0:\u0002\u0004f\ufffd\u0003\u000f`2\u0002\u0001\u0003\u0004\u0017cn=qiksnrhfyegsacbprmcn\ufffd\u0014qiksnrhfyegsacbprmcn",
"evidence": {
"request_sample": "0:\u0002\u0004f\ufffd\u0003\u000f`2\u0002\u0001\u0003\u0004\u0017cn=qiksnrhfyegsacbprmcn\ufffd\u0014qiksnrhfyegsacbprmcn",
"payload_snippet": "0:\u0002\u0004f\ufffd\u0003\u000f`2\u0002\u0001\u0003\u0004\u0017cn=qiksnrhfyegsacbprmcn\ufffd\u0014qiksnrhfyegsacbprmcn",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ed875f867270d43a72f6bf40d6533b8548862d21",
"protocol_details": {
"payload_preview": "0:\u0002\u0004f\ufffd\u0003\u000f`2\u0002\u0001\u0003\u0004\u0017cn=qiksnrhfyegsacbprmcn\ufffd\u0014qiksnrhfyegsacbprmcn",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "0:f\ufffd`2cn=qiksnrhfyegsacbprmcn\ufffdqiksnrhfyegsacbprmcn",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "0:\u0002\u0004f\ufffd\u0003\u000f`2\u0002\u0001\u0003\u0004\u0017cn=qiksnrhfyegsacbprmcn\ufffd\u0014qiksnrhfyegsacbprmcn",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "0:f\ufffd`2cn=qiksnrhfyegsacbprmcn\ufffdqiksnrhfyegsacbprmcn",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 15,
"ssh_auth_burst_rate": 1.15
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_banner_grab
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Pourquoi cette classification : Bannière client SSH reçue · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "9a7126521109c1987b3394ab50203f58d5e0666d",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "481e7c9d48f087e9179390f97c4362a8599a741d",
"protocol_details": {
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_banner_grab",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 16,
"ssh_auth_burst_rate": 1.6
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
��������������� ���
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
ET H.323 setup
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 19,
"payload_entropy": 1.983740670882855,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "8fc6ed97290d268f1fc6cf8588666a2736755a3f",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"ET H.323 setup",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0003c8efa0acdc0c6540f4bdb920f6bc",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "94172eec75bd2e49c01514c1cb036ae3c10770b0",
"protocol_details": {
"payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "\ufffd",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 11,
"ssh_auth_burst_rate": 0.85,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
Not a command
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
Not a command
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 16,
"payload_entropy": 3.327819531114783,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ad32b372bf9a8e846b24a957491de4e3",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "Not a command \r\n",
"request_sample": "Not a command \r\n",
"payload_snippet": "Not a command",
"evidence": {
"request_sample": "Not a command \r\n",
"payload_snippet": "Not a command",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "250dbd8b8f86903d9c7611d3c1f2018db5027abe",
"protocol_details": {
"payload_preview": "Not a command",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "Not a command",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "Not a command",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "Not a command",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 13,
"ssh_auth_burst_rate": 1,
"behavior_alert_count": 2,
"behavior_priority": 72
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
���������������version�bind�����
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������version�bind�����
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 32,
"payload_entropy": 3.4681390622295662,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "8fc6ed97290d268f1fc6cf8588666a2736755a3f",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "63dee8e3b119d818a847299a1d9cf38b",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "\u0000\u001e\u001a\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"request_sample": "\u0000\u001e\u001a\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"payload_snippet": "\u0000\u001e\u001a\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"evidence": {
"request_sample": "\u0000\u001e\u001a\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"payload_snippet": "\u0000\u001e\u001a\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8d0b7579ac9aef950bb8bcf396cceb16c3a74af0",
"protocol_details": {
"payload_preview": "\u0000\u001e\u001a\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "\ufffdversionbind",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0000\u001e\u001a\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffdversionbind",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 14,
"ssh_auth_burst_rate": 0.93
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce
net_ssh_probe
ssh_banner_grab
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Pourquoi cette classification : Bannière client SSH reçue · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "2c52b1f7aa472ff9e6b5ad5aa646dee43fa9d21b",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7be0d89ee20e8cc370e1cc8a6f3697991db52ea5",
"protocol_details": {
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"ssh_banner_grab",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 1.11
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_banner_grab
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Pourquoi cette classification : Bannière client SSH reçue · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "9a7126521109c1987b3394ab50203f58d5e0666d",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "481e7c9d48f087e9179390f97c4362a8599a741d",
"protocol_details": {
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_banner_grab",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 13,
"ssh_auth_burst_rate": 1.08
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_banner_grab
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Pourquoi cette classification : Bannière client SSH reçue · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "9a7126521109c1987b3394ab50203f58d5e0666d",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "481e7c9d48f087e9179390f97c4362a8599a741d",
"protocol_details": {
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_banner_grab",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 9,
"ssh_auth_burst_rate": 1.5,
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde PostgreSQL
postgres probe · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 40
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_ssh_probe
ssh_emulated
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
������������D��߂��[k[�����R�;,���������G� 5�������/f��r9�k3r���]]��q�fV����2�+�/�,�0̨̩� ��� �������/�5��� �#�'�<������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Moyen
· 40
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������D��߂��[k[�����R�;,���������G� 5�������/f��r9�k3r���]]��q�fV����2�+�/�,�0̨̩� ���
�������/�5���
�#�'�<������������
Requête brute (extrait)
������������D��߂��[k[�����R�;,���������G� 5�������/f��r9�k3r���]]��q�fV����2�+�/�,�0̨̩� ��� �������/�5��� �#�'�<���������������E� ��������������������������� � � ����������� �����������������������������+� ����������3��������K!v�t ��ٛK|Yz?�w���7|3m�~
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 1481,
"payload_entropy": 7.735521837381525,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 36,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 36,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15
},
"risk_score": 40,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "1754ac7e847ceb385b4fff1ce5385dae1c9f46d8",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 36,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 40
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "310491ce764bbeea4c777fca99411ff6",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 40
},
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdD\ufffd\ufffd\u07c2\ufffd\u0015[k[\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;,\ufffd\ufffd\ufffd\u0002\ufffd\ufffd\ufffd\u0013\ufffdG\ufffd 5\ufffd\ufffd\ufffd\ufffd\u0010\u0000\ufffd\/f\u001e\ufffdr9\ufffdk3r\u0016\ufffd\ufffd]]\ufffd\ufffdq\ufffdfV\u001f\ufffd\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdD\ufffd\ufffd\u07c2\ufffd\u0015[k[\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;,\ufffd\ufffd\ufffd\u0002\ufffd\ufffd\ufffd\u0013\ufffdG\ufffd 5\ufffd\ufffd\ufffd\ufffd\u0010\u0000\ufffd\/f\u001e\ufffdr9\ufffdk3r\u0016\ufffd\ufffd]]\ufffd\ufffdq\ufffdfV\u001f\ufffd\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffdK!v\ufffdt\f\ufffd\ufffd\u065bK|Yz?\ufffdw\ufffd\u0018\u00147|3m\u0002~",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdD\ufffd\ufffd\u07c2\ufffd\u0015[k[\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;,\ufffd\ufffd\ufffd\u0002\ufffd\ufffd\ufffd\u0013\ufffdG\ufffd 5\ufffd\ufffd\ufffd\ufffd\u0010\u0000\ufffd\/f\u001e\ufffdr9\ufffdk3r\u0016\ufffd\ufffd]]\ufffd\ufffdq\ufffdfV\u001f\ufffd\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6a1e9eb65b46888582546c3cba50a9f6daa9a628",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdD\ufffd\ufffd\u07c2\ufffd\u0015[k[\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;,\ufffd\ufffd\ufffd\u0002\ufffd\ufffd\ufffd\u0013\ufffdG\ufffd 5\ufffd\ufffd\ufffd\ufffd\u0010\u0000\ufffd\/f\u001e\ufffdr9\ufffdk3r\u0016\ufffd\ufffd]]\ufffd\ufffdq\ufffdfV\u001f\ufffd\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "\ufffd\ufffd\ufffdD\ufffd\ufffd\u07c2\ufffd[k[\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;,\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd 5\ufffd\ufffd\ufffd\ufffd\ufffd\/f\ufffdr9\ufffdk3r\ufffd\ufffd]]\ufffd\ufffdq\ufffdfV\ufffd\ufffd2\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd#\ufffd'<\ufffd\ufffd",
"attack_vector": "postgres probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 36,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 40
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 40,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdD\ufffd\ufffd\u07c2\ufffd\u0015[k[\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;,\ufffd\ufffd\ufffd\u0002\ufffd\ufffd\ufffd\u0013\ufffdG\ufffd 5\ufffd\ufffd\ufffd\ufffd\u0010\u0000\ufffd\/f\u001e\ufffdr9\ufffdk3r\u0016\ufffd\ufffd]]\ufffd\ufffdq\ufffdfV\u001f\ufffd\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "postgres probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffdD\ufffd\ufffd\u07c2\ufffd[k[\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;,\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd 5\ufffd\ufffd\ufffd\ufffd\ufffd\/f\ufffdr9\ufffdk3r\ufffd\ufffd]]\ufffd\ufffdq\ufffdfV\ufffd\ufffd2\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd#\ufffd'<\ufffd\ufffd",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_ssh_probe",
"ssh_emulated",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Protocole wire MongoDB
mongodb wire protocol · via SSH:22 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
mongodb_hello_probe
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
;�������������������admin.$cmd��������������hello��������?�>�������������������admin.$cmd��������������isMaster��������?�
Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0363
pat-0364
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
;�������������������admin.$cmd��������������hello��������?�>�������������������admin.$cmd��������������isMaster��������?
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 121,
"payload_entropy": 3.1150230512705406,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 38,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "bc2d1c20942b1079428048817a17e68d0d29c88a",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 116,
"precision_signals": [
"pat-0363",
"pat-0364"
],
"kb_rule_ids": [
"pat-0363",
"pat-0364"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "de7aa004722a47b7532d77bd58324675",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 38
},
"payload_snippet": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000>\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0017\u0000\u0000\u0000\u0001isMaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000",
"evidence": {
"request_sample": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000>\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0017\u0000\u0000\u0000\u0001isMaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000",
"payload_snippet": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000>\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0017\u0000\u0000\u0000\u0001isMaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a1120974c8726045927a4fd936a7f99911a4d656",
"protocol_details": {
"payload_preview": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000>\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0017\u0000\u0000\u0000\u0001isMaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": ";\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdhello\ufffd?>\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdisMaster\ufffd?",
"attack_vector": "mongodb wire protocol \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"pat-0363",
"pat-0364"
],
"tags_summary_labels_fr": [
"pat-0363",
"pat-0364"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000>\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0017\u0000\u0000\u0000\u0001isMaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "mongodb wire protocol \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": ";\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdhello\ufffd?>\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdisMaster\ufffd?",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_hello_probe",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde port 22/TCP
port 22 tcp · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 45
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
mozi_pattern
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Preuve honeypot — Sonde port 22/TCP
Connexion détectée sur le port 22 (TCP) du capteur simulé.
Service
SSH
Payload
GET / HTTP/1.1 Host: 62.3.50.33:22 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko
Pourquoi cette classification : Type « port_22_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Moyen
· 45
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:22
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:22 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 187,
"payload_entropy": 5.383987673192649,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 46,
"risk_novelty": 15,
"risk_boost": 20,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 46,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "d7618832c0a2bdfa93a1dfe9da3c4b45bc1bbe62",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Type \u00ab port_22_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 46,
"novelty": 15,
"risk_score": 45
},
"named_classification_skipped": true,
"named_candidate": "ssh_probe",
"service_name": "ssh",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c6d7adbc04645037c21feea1e5278a4f",
"path_pattern_hash": "4d94c79baddfcb6b1b3c2c5fdc6c79e1"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 45
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/127.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/127.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"classification_reason": "Type \u00ab port_22_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f0f84ddad41e184f25737df608d861079e9b26fb",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"attack_vector": "port 22 tcp \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_22_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_22_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 46,
"novelty": 15,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "port 22 tcp \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"mozi_pattern",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde port 22/TCP
port 22 tcp · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 42
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Preuve honeypot — Sonde port 22/TCP
Connexion détectée sur le port 22 (TCP) du capteur simulé.
Service
SSH
Payload
����YGl"Z��E�\z�0�l��'����> �I��6�k���� �a������~��x�^:����,8
Pourquoi cette classification : Type « port_22_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Moyen
· 42
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
����YGl"Z��E�\z�0�l��'����>
�I��6�k������a������~��x�^:����,8
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 64,
"payload_entropy": 5.84375,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "ec742e1f26595cf120b330e5f862965c23dfeeb2",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Type \u00ab port_22_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 42
},
"named_classification_skipped": true,
"named_candidate": "ssh_probe",
"service_name": "ssh",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "890f2617cc5eb0c3c32d995c118416f1",
"path_pattern_hash": "4d94c79baddfcb6b1b3c2c5fdc6c79e1"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 42
},
"payload_preview": "\ufffd\ufffd\ufffd\ufffdYGl\"Z\ufffd\ufffdE\ufffd\\z\ufffd0\ufffdl\u0000\ufffd'\ufffd\ufffd\ufffd\u0000>\n\ufffdI\ufffd\ufffd6\ufffdk\ufffd\ufffd\ufffd\ufffd\f\ufffda\ufffd\ufffd\ufffd\ufffd\u0004\u0014~\u0001\ufffdx\ufffd^:\u0019\ufffd\u0015\ufffd,8",
"request_sample": "\ufffd\ufffd\ufffd\ufffdYGl\"Z\ufffd\ufffdE\ufffd\\z\ufffd0\ufffdl\u0000\ufffd'\ufffd\ufffd\ufffd\u0000>\n\ufffdI\ufffd\ufffd6\ufffdk\ufffd\ufffd\ufffd\ufffd\f\ufffda\ufffd\ufffd\ufffd\ufffd\u0004\u0014~\u0001\ufffdx\ufffd^:\u0019\ufffd\u0015\ufffd,8",
"payload_snippet": "\ufffd\ufffd\ufffd\ufffdYGl\"Z\ufffd\ufffdE\ufffd\\z\ufffd0\ufffdl\u0000\ufffd'\ufffd\ufffd\ufffd\u0000>\n\ufffdI\ufffd\ufffd6\ufffdk\ufffd\ufffd\ufffd\ufffd\f\ufffda\ufffd\ufffd\ufffd\ufffd\u0004\u0014~\u0001\ufffdx\ufffd^:\u0019\ufffd\u0015\ufffd,8",
"evidence": {
"request_sample": "\ufffd\ufffd\ufffd\ufffdYGl\"Z\ufffd\ufffdE\ufffd\\z\ufffd0\ufffdl\u0000\ufffd'\ufffd\ufffd\ufffd\u0000>\n\ufffdI\ufffd\ufffd6\ufffdk\ufffd\ufffd\ufffd\ufffd\f\ufffda\ufffd\ufffd\ufffd\ufffd\u0004\u0014~\u0001\ufffdx\ufffd^:\u0019\ufffd\u0015\ufffd,8",
"payload_snippet": "\ufffd\ufffd\ufffd\ufffdYGl\"Z\ufffd\ufffdE\ufffd\\z\ufffd0\ufffdl\u0000\ufffd'\ufffd\ufffd\ufffd\u0000>\n\ufffdI\ufffd\ufffd6\ufffdk\ufffd\ufffd\ufffd\ufffd\f\ufffda\ufffd\ufffd\ufffd\ufffd\u0004\u0014~\u0001\ufffdx\ufffd^:\u0019\ufffd\u0015\ufffd,8",
"classification_reason": "Type \u00ab port_22_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c16d52d7e3950a16cdd651e7c3a438587683959d",
"protocol_details": {
"payload_preview": "\ufffd\ufffd\ufffd\ufffdYGl\"Z\ufffd\ufffdE\ufffd\\z\ufffd0\ufffdl\u0000\ufffd'\ufffd\ufffd\ufffd\u0000>\n\ufffdI\ufffd\ufffd6\ufffdk\ufffd\ufffd\ufffd\ufffd\f\ufffda\ufffd\ufffd\ufffd\ufffd\u0004\u0014~\u0001\ufffdx\ufffd^:\u0019\ufffd\u0015\ufffd,8",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdYGl\"Z\ufffd\ufffdE\ufffd\\z\ufffd0\ufffdl\ufffd'\ufffd\ufffd\ufffd>\n\ufffdI\ufffd\ufffd6\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffda\ufffd\ufffd\ufffd\ufffd~\ufffdx\ufffd^:\ufffd\ufffd,8",
"attack_vector": "port 22 tcp \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_22_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_22_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 42
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\ufffd\ufffd\ufffd\ufffdYGl\"Z\ufffd\ufffdE\ufffd\\z\ufffd0\ufffdl\u0000\ufffd'\ufffd\ufffd\ufffd\u0000>\n\ufffdI\ufffd\ufffd6\ufffdk\ufffd\ufffd\ufffd\ufffd\f\ufffda\ufffd\ufffd\ufffd\ufffd\u0004\u0014~\u0001\ufffdx\ufffd^:\u0019\ufffd\u0015\ufffd,8",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "port 22 tcp \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdYGl\"Z\ufffd\ufffdE\ufffd\\z\ufffd0\ufffdl\ufffd'\ufffd\ufffd\ufffd>\n\ufffdI\ufffd\ufffd6\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffda\ufffd\ufffd\ufffd\ufffd~\ufffdx\ufffd^:\ufffd\ufffd,8",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 84
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-Fingerprintx-SSH2
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_banner
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-Fingerprintx-SSH2
Payload
SSH-2.0-Fingerprintx-SSH2
Pourquoi cette classification : Bannière client SSH reçue · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-Fingerprintx-SSH2
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 27,
"payload_entropy": 3.91211389097223,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "e61df9daa23678fb8da412993c14604e07486452",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 83,
"precision_signals": [
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253"
],
"pattern_ids": [
"pat-0391"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "9347c491a8bfa0cf9d4139ebc591dc1a",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "SSH-2.0-Fingerprintx-SSH2\r\n",
"request_sample": "SSH-2.0-Fingerprintx-SSH2\r\n",
"payload_snippet": "SSH-2.0-Fingerprintx-SSH2",
"evidence": {
"request_sample": "SSH-2.0-Fingerprintx-SSH2\r\n",
"payload_snippet": "SSH-2.0-Fingerprintx-SSH2",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0ccf02ae15ff2ec307f7e559b769b36593f613fb",
"protocol_details": {
"ssh_banner": "SSH-2.0-Fingerprintx-SSH2",
"payload_preview": "SSH-2.0-Fingerprintx-SSH2",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-Fingerprintx-SSH2",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"pat-0391",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-Fingerprintx-SSH2",
"payload_preview": "SSH-2.0-Fingerprintx-SSH2",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-Fingerprintx-SSH2",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_banner",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 7,
"ssh_auth_burst_rate": 2.33,
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-Fingerprintx-SSH2
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_ssh_probe
ssh_banner
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-Fingerprintx-SSH2
Payload
SSH-2.0-Fingerprintx-SSH2
Pourquoi cette classification : Bannière client SSH reçue · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-Fingerprintx-SSH2
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 27,
"payload_entropy": 3.91211389097223,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "52aff1c3ab5260ce88a91e156d1e2db6de2ba6df",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 83,
"precision_signals": [
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253"
],
"pattern_ids": [
"pat-0391"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "9347c491a8bfa0cf9d4139ebc591dc1a",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "SSH-2.0-Fingerprintx-SSH2\r\n",
"request_sample": "SSH-2.0-Fingerprintx-SSH2\r\n",
"payload_snippet": "SSH-2.0-Fingerprintx-SSH2",
"evidence": {
"request_sample": "SSH-2.0-Fingerprintx-SSH2\r\n",
"payload_snippet": "SSH-2.0-Fingerprintx-SSH2",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "52d32b9da785420c931187954c12cc6bf595755d",
"protocol_details": {
"ssh_banner": "SSH-2.0-Fingerprintx-SSH2",
"payload_preview": "SSH-2.0-Fingerprintx-SSH2",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-Fingerprintx-SSH2",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"pat-0391",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-Fingerprintx-SSH2",
"payload_preview": "SSH-2.0-Fingerprintx-SSH2",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-Fingerprintx-SSH2",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_ssh_probe",
"ssh_banner",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_banner_grab
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Pourquoi cette classification : Bannière client SSH reçue · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "9a7126521109c1987b3394ab50203f58d5e0666d",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "481e7c9d48f087e9179390f97c4362a8599a741d",
"protocol_details": {
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_banner_grab",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 18,
"ssh_auth_burst_rate": 1.28
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
OPTIONS rtsp://example.com RTSP/1.0 Cseq: 7216
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
RTSP protocol
HTTP OPTIONS method
User-Agent
—
Règles WAF
—
Payload (extrait)
OPTIONS rtsp://example.com RTSP/1.0
Cseq: 7216
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 51,
"payload_entropy": 4.814103037837824,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0103",
"pat-0382",
"pat-0420"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"RTSP protocol",
"HTTP OPTIONS method"
],
"pattern_ids": [
"pat-0103",
"pat-0382",
"pat-0420"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2b86689ebf77c360c4f0cca5b2b92364",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 7216\r\n\r\n",
"request_sample": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 7216\r\n\r\n",
"payload_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 7216",
"evidence": {
"request_sample": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 7216\r\n\r\n",
"payload_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 7216",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c139fe4977da1a7b1edf07d60d7d1acfb848ea75",
"protocol_details": {
"payload_preview": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 7216",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 7216",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 7216",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 7216",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 36,
"ssh_auth_burst_rate": 2.57
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
postgres_startup
postgresql_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
���T����user�postgres�database�postgres�application_name�psql�client_encoding�UTF8��
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 5 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
MSSQL TDS prelogin
ET H.323 setup
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
T����user�postgres�database�postgres�application_name�psql�client_encoding�UTF8
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 84,
"payload_entropy": 4.139167728978457,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 10,
"risk_boost": 0,
"risk_granularity": 5.3,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 10
},
"risk_score": 48,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "2d36879333240626a18617a50ed2c7dee2f54393",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0348",
"pat-0356",
"pat-0868",
"pat-0554"
],
"matched_pattern_names": [
"RDP TPKT header",
"MSSQL TDS prelogin",
"ET H.323 setup",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0348",
"pat-0356",
"pat-0868",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 10,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "94e606a42613d0ef095b8001a98bf6ed",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"request_sample": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"payload_snippet": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"evidence": {
"request_sample": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"payload_snippet": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dff62050a720ccbe26a1a7aa16a0f946ee4180be",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 10,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"postgres_startup",
"postgresql_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 37,
"ssh_auth_burst_rate": 2.64
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
���������<�,�������������:������������������������������(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Oracle TNS connect
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������<�,�������������:������������������������������(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123
Requête brute (extrait)
��������<�,�������������:������������������������������(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=22)))
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 238,
"payload_entropy": 5.113383338217833,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0520",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Oracle TNS connect",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0520",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "3ec3472553fccfc5460ce0aa0edb3bd2",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"request_sample": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=22)))",
"payload_snippet": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"evidence": {
"request_sample": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=22)))",
"payload_snippet": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1246a073ff78ce2d8c3496f0df527f87975caadd",
"protocol_details": {
"payload_preview": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "\ufffd<,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd<,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 38,
"ssh_auth_burst_rate": 2.71
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
mongodb_probe
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
���(r������������������|��������������������
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
NFS RPC mount
Mumble ping
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
���(r������������������|
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 44,
"payload_entropy": 1.9235205817738175,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "d23b5ed00a4e814f350523d032a1394122d39cb7",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0532",
"pat-0768",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"NFS RPC mount",
"Mumble ping",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0532",
"pat-0768",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2a177602bee0d039f41fbd6da5240e04",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"request_sample": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e876fa09a770fdbdbcbee593cc5e2e22f1136a9e",
"protocol_details": {
"payload_preview": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "\ufffd(r\ufffd\ufffd\ufffd\ufffd|",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd(r\ufffd\ufffd\ufffd\ufffd|",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_probe",
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 32,
"ssh_auth_burst_rate": 2.46
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
���f�SMB@�����������������������������������������������������������$������������333333333333337����������
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
f�SMB@�����������������������������������������������������������$������������333333333333337����������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 106,
"payload_entropy": 1.562219115128654,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c410cf23b3d85ec98026baf9f8231d24",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"request_sample": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"payload_snippet": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"evidence": {
"request_sample": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"payload_snippet": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d422539d9eae3410f418d7d4e23510bf8e6c8e72",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "f\ufffdSMB@$333333333333337",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "f\ufffdSMB@$333333333333337",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 33,
"ssh_auth_burst_rate": 2.54
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
T�����������
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
T�����������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 12,
"payload_entropy": 2.125814583693911,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6f4b631d2aa4b9024f72e0e149ce9eda",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "T\ufffd\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"request_sample": "T\ufffd\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"payload_snippet": "T\ufffd\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"evidence": {
"request_sample": "T\ufffd\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"payload_snippet": "T\ufffd\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c7ab99d5e4abcb724e1484ec6a2a51777e145e4a",
"protocol_details": {
"payload_preview": "T\ufffd\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "T\ufffd",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "T\ufffd\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "T\ufffd",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 34,
"ssh_auth_burst_rate": 2.61,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
*1 $4 PING
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Redis PING RESP
User-Agent
—
Règles WAF
—
Payload (extrait)
*1
$4
PING
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 14,
"payload_entropy": 3.128085278891395,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0414"
],
"matched_pattern_names": [
"Redis PING RESP"
],
"pattern_ids": [
"pat-0414"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a43cb6a3b9d261112714d00e36b33106",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "*1\r\n$4\r\nPING\r\n",
"request_sample": "*1\r\n$4\r\nPING\r\n",
"payload_snippet": "*1\r\n$4\r\nPING",
"evidence": {
"request_sample": "*1\r\n$4\r\nPING\r\n",
"payload_snippet": "*1\r\n$4\r\nPING",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d4d2aa8f4088fee9ca985dd7ecfcc5b9fc3cffa8",
"protocol_details": {
"payload_preview": "*1\r\n$4\r\nPING",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "*1\r\n$4\r\nPING",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "*1\r\n$4\r\nPING",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "*1\r\n$4\r\nPING",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 35,
"ssh_auth_burst_rate": 2.69
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
JRMI��K
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Java RMI JRMI
User-Agent
—
Règles WAF
—
Payload (extrait)
JRMI��K
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 7,
"payload_entropy": 2.807354922057604,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0604"
],
"matched_pattern_names": [
"Java RMI JRMI"
],
"pattern_ids": [
"pat-0604"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d8c49a0f759e2102fb8fa8368049d06a",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "JRMI\u0000\u0002K",
"request_sample": "JRMI\u0000\u0002K",
"payload_snippet": "JRMI\u0000\u0002K",
"evidence": {
"request_sample": "JRMI\u0000\u0002K",
"payload_snippet": "JRMI\u0000\u0002K",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "25c057bdc097d97004a01c34d3bb59bfa4a90986",
"protocol_details": {
"payload_preview": "JRMI\u0000\u0002K",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "JRMIK",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "JRMI\u0000\u0002K",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "JRMIK",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 39,
"ssh_auth_burst_rate": 3
}
|
|
|
TCP |
22 · SSH
|
ssh
|
mqtt probe
mqtt probe · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 49
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
mqtt_connect
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
����MQTT���<���AAAAA
Pourquoi cette classification : Rafale d'authentification SSH · confiance 97%
Confiance classification
97%
Risque capteur
Moyen
· 49
Confiance : Confiance 97 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0373
pat-0615
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
MQTT protocol
MQTT alt CONNECT
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
����MQTT���<���AAAAA
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 20,
"payload_entropy": 3.1414460711655217,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 54,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 49,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "b1802f6f71a11621266cff4649898a3490ca5795",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%",
"confidence": 0.97,
"classification_confidence": 0.97,
"precision_score": 110,
"precision_signals": [
"pat-0373",
"pat-0615"
],
"kb_rule_ids": [
"pat-0373",
"pat-0615"
],
"matched_patterns": [
"pat-0373",
"pat-0615",
"pat-0554"
],
"matched_pattern_names": [
"MQTT protocol",
"MQTT alt CONNECT",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0373",
"pat-0615",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 49
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 97,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "8cbaa0e25147458ba5f5f0e8603c4f19",
"path_pattern_hash": "4449b927317468afa12a2f935a413459"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 49
},
"payload_preview": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"request_sample": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"payload_snippet": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"evidence": {
"request_sample": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"payload_snippet": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "091bb425d2449cc5524179b89f1cfac2157d0511",
"protocol_details": {
"payload_preview": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "MQTT<AAAAA",
"attack_vector": "mqtt probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 97%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100",
"confidence_pct": 97,
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 49
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 49,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"pat-0373",
"pat-0615"
],
"tags_summary_labels_fr": [
"pat-0373",
"pat-0615"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "mqtt probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "MQTT<AAAAA",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 97 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mqtt_connect",
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 40,
"ssh_auth_burst_rate": 3.07
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
@RSYTCD: 29
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
@RSYTCD: 29
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 12,
"payload_entropy": 3.584962500721156,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b2993d6e4414a846683a71de5eb18653",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "@RSYTCD: 29\n",
"request_sample": "@RSYTCD: 29\n",
"payload_snippet": "@RSYTCD: 29",
"evidence": {
"request_sample": "@RSYTCD: 29\n",
"payload_snippet": "@RSYTCD: 29",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "688ac31b5cccb45d898542916e35709bba611706",
"protocol_details": {
"payload_preview": "@RSYTCD: 29",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "@RSYTCD: 29",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "@RSYTCD: 29",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "@RSYTCD: 29",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 41,
"ssh_auth_burst_rate": 3.15
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
JDWP-Handshake
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
JDWP-Handshake
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 14,
"payload_entropy": 3.6644977792004623,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d7cf99dd7541d7bd514fc0d9a1b2d531",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "JDWP-Handshake",
"request_sample": "JDWP-Handshake",
"payload_snippet": "JDWP-Handshake",
"evidence": {
"request_sample": "JDWP-Handshake",
"payload_snippet": "JDWP-Handshake",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "edab5da1d572e96dec38495ef77723da65c2edc8",
"protocol_details": {
"payload_preview": "JDWP-Handshake",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "JDWP-Handshake",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "JDWP-Handshake",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "JDWP-Handshake",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 42,
"ssh_auth_burst_rate": 3.23
}
|
|
|
TCP |
22 · SSH
|
ssh
|
mqtt probe
mqtt probe · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 49
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
mqtt_connect
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
����MQTT���<��AAAAA
Pourquoi cette classification : Rafale d'authentification SSH · confiance 97%
Confiance classification
97%
Risque capteur
Moyen
· 49
Confiance : Confiance 97 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0373
pat-0615
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
MQTT protocol
MQTT alt CONNECT
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
����MQTT���<��AAAAA
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 19,
"payload_entropy": 3.281373409411991,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 54,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 49,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "b1802f6f71a11621266cff4649898a3490ca5795",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%",
"confidence": 0.97,
"classification_confidence": 0.97,
"precision_score": 110,
"precision_signals": [
"pat-0373",
"pat-0615"
],
"kb_rule_ids": [
"pat-0373",
"pat-0615"
],
"matched_patterns": [
"pat-0373",
"pat-0615",
"pat-0554"
],
"matched_pattern_names": [
"MQTT protocol",
"MQTT alt CONNECT",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0373",
"pat-0615",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 49
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 97,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "146feb4208f989935534a353df60ec62",
"path_pattern_hash": "4449b927317468afa12a2f935a413459"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 49
},
"payload_preview": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"request_sample": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"payload_snippet": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"evidence": {
"request_sample": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"payload_snippet": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b037cb5b32edc22d86c89afe5cb4c84b5d698274",
"protocol_details": {
"payload_preview": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "MQTT<AAAAA",
"attack_vector": "mqtt probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 97%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100",
"confidence_pct": 97,
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 49
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 49,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"pat-0373",
"pat-0615"
],
"tags_summary_labels_fr": [
"pat-0373",
"pat-0615"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "mqtt probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "MQTT<AAAAA",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 97 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mqtt_connect",
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 43,
"ssh_auth_burst_rate": 3.31
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
���C�����3���consumer-Offset Explorer 2.2-18��apache-kafka-java�2.4.0�
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Kafka ApiVersions key
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
C�����3���consumer-Offset Explorer 2.2-18��apache-kafka-java�2.4.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 71,
"payload_entropy": 4.83906190787142,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0556",
"pat-0554"
],
"matched_pattern_names": [
"Kafka ApiVersions key",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0556",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d9bcc621186ef441cc445f2b3dbd5f10",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"request_sample": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"payload_snippet": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"evidence": {
"request_sample": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"payload_snippet": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9a321f0f92229c154128e8e36ccded2ae3db9c21",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "C3\ufffdconsumer-Offset Explorer 2.2-18apache-kafka-java2.4.0",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "C3\ufffdconsumer-Offset Explorer 2.2-18apache-kafka-java2.4.0",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 19,
"ssh_auth_burst_rate": 1.46
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
postgres_startup
postgresql_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
���#�����3�� adminclient-5������SV59IH
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 5 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
ET H.323 setup
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
#�����3��
adminclient-5������SV59IH
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 39,
"payload_entropy": 4.155818941810702,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 10,
"risk_boost": 0,
"risk_granularity": 5.3,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 10
},
"risk_score": 48,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "2d36879333240626a18617a50ed2c7dee2f54393",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"ET H.323 setup",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 10,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2b30d8d990d2c9ef2a45ca4c965196f0",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006SV59IH",
"request_sample": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006SV59IH",
"payload_snippet": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006SV59IH",
"evidence": {
"request_sample": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006SV59IH",
"payload_snippet": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006SV59IH",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c068c51337dd4e48f762e5ac302b516a91a324ff",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006SV59IH",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "#3\ufffd\radminclient-5SV59IH",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 10,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006SV59IH",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "#3\ufffd\radminclient-5SV59IH",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"postgres_startup",
"postgresql_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 20,
"ssh_auth_burst_rate": 1.54,
"behavior_alert_count": 1,
"behavior_priority": 84
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Protocole TDS MSSQL
mssql tds · via SSH:22 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
mssql_tds
net_bruteforce_burst
net_mssql_tds
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
���X�����������%����&����'����+����,�$�� ��������������\�k��٪<�K�{��\2!$���7�b9JF,�����
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Faible
· 35
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0519
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
MSSQL TDS prelogin
Mumble ping
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
���X�����������%����&����'����+����,�$�� ��������������\�k��٪<�K�{��\2!$���7�b9JF,�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 88,
"payload_entropy": 4.354527413223707,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 56,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 35,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "90e396dfa83b5a259815c28cb0d651ce713d0ed3",
"event_fingerprint": "e2fecb7fa672c436270a1a3ab197ed5a9894cbda",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 83,
"precision_signals": [
"pat-0519",
"INT-upstream"
],
"kb_rule_ids": [
"pat-0519",
"INT-upstream"
],
"matched_patterns": [
"pat-0519",
"pat-0768",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"MSSQL TDS prelogin",
"Mumble ping",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0519",
"pat-0768",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0efe38694fbb4cc2af819186b5e9ae9e",
"path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 35
},
"payload_preview": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"request_sample": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "934005d824e0429f4513074da441d0cf46312130",
"protocol_details": {
"payload_preview": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "X%&'+,$\ufffd\t\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u066a<K\ufffd{\ufffd\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd",
"attack_vector": "mssql tds \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"pat-0519",
"INT-upstream"
],
"tags_summary_labels_fr": [
"pat-0519",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "mssql tds \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "X%&'+,$\ufffd\t\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u066a<K\ufffd{\ufffd\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mssql_tds",
"net_bruteforce_burst",
"net_mssql_tds",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 15,
"ssh_auth_burst_rate": 1.15
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
0:���9��`2�����cn=qveykmimefhzlduyftwz��qveykmimefhzlduyftwz
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
0:���9��`2�����cn=qveykmimefhzlduyftwz��qveykmimefhzlduyftwz
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 60,
"payload_entropy": 4.8402239289418505,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "10c3d18dc3484700172a01283b82bffd",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "0:\u0002\u0004\u00109\ufffd\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=qveykmimefhzlduyftwz\ufffd\u0014qveykmimefhzlduyftwz",
"request_sample": "0:\u0002\u0004\u00109\ufffd\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=qveykmimefhzlduyftwz\ufffd\u0014qveykmimefhzlduyftwz",
"payload_snippet": "0:\u0002\u0004\u00109\ufffd\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=qveykmimefhzlduyftwz\ufffd\u0014qveykmimefhzlduyftwz",
"evidence": {
"request_sample": "0:\u0002\u0004\u00109\ufffd\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=qveykmimefhzlduyftwz\ufffd\u0014qveykmimefhzlduyftwz",
"payload_snippet": "0:\u0002\u0004\u00109\ufffd\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=qveykmimefhzlduyftwz\ufffd\u0014qveykmimefhzlduyftwz",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e880990fbca8675b49511f8aed5682cafeca0a5f",
"protocol_details": {
"payload_preview": "0:\u0002\u0004\u00109\ufffd\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=qveykmimefhzlduyftwz\ufffd\u0014qveykmimefhzlduyftwz",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "0:9\ufffd\ufffd`2cn=qveykmimefhzlduyftwz\ufffdqveykmimefhzlduyftwz",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 15,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "0:\u0002\u0004\u00109\ufffd\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=qveykmimefhzlduyftwz\ufffd\u0014qveykmimefhzlduyftwz",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "0:9\ufffd\ufffd`2cn=qveykmimefhzlduyftwz\ufffdqveykmimefhzlduyftwz",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 16,
"ssh_auth_burst_rate": 1.23
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_banner_grab
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Pourquoi cette classification : Bannière client SSH reçue · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "9a7126521109c1987b3394ab50203f58d5e0666d",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "481e7c9d48f087e9179390f97c4362a8599a741d",
"protocol_details": {
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_banner_grab",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 14,
"ssh_auth_burst_rate": 1.4
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce_burst
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
Not a command
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
Not a command
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 16,
"payload_entropy": 3.327819531114783,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ad32b372bf9a8e846b24a957491de4e3",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "Not a command \r\n",
"request_sample": "Not a command \r\n",
"payload_snippet": "Not a command",
"evidence": {
"request_sample": "Not a command \r\n",
"payload_snippet": "Not a command",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "250dbd8b8f86903d9c7611d3c1f2018db5027abe",
"protocol_details": {
"payload_preview": "Not a command",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "Not a command",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "Not a command",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "Not a command",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 13,
"ssh_auth_burst_rate": 1
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Bruteforce SSH
Bruteforce SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce
net_ssh_probe
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Payload
��������������� ���
Pourquoi cette classification : Rafale d'authentification SSH · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Bruteforce SSH
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
ET H.323 setup
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 19,
"payload_entropy": 1.983740670882855,
"port_category": "well_known",
"org": "Google LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 396982,
"country": "BE",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "8fc6ed97290d268f1fc6cf8588666a2736755a3f",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 68,
"precision_signals": [
"INT-ssh-brute"
],
"kb_rule_ids": [
"INT-ssh-brute"
],
"matched_patterns": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"ET H.323 setup",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0003c8efa0acdc0c6540f4bdb920f6bc",
"path_pattern_hash": "fca570dfedc4605a2c5e448037a92aaf"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "94172eec75bd2e49c01514c1cb036ae3c10770b0",
"protocol_details": {
"payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "\ufffd",
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-brute"
],
"tags_summary_labels_fr": [
"Bruteforce SSH"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"ssh_emulated"
],
"asn_dc_heuristic": true,
"ssh_auth_burst": true,
"ssh_auth_burst_count": 17,
"ssh_auth_burst_rate": 1.13
}
|