Renseignement sur les menaces

Inde

35.244.26.224

FAI Google LLC Première vue 15/06/2026 22:19 UTC Dernière vue 15/06/2026 22:19 UTC Risque Critique

Période analysée : 2026-05-21 → 2026-06-20

Activité suspecte — risque 62/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Critique · Risque max (7j) Critique

Synthèse exécutive

Profil de menace

Score de risque 86/100 Critique

Première observation 15/06/2026 22:19 UTC

Dernière observation 15/06/2026 22:19 UTC

Événements (période) 854

MITRE ATT&CK principal TA0007 427 occurrences

Activité suspecte — risque 62/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_flood » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 84 · Bonus corrélation +8 · 3 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 35.244.16.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 854 événements sur la période pour cette IP.

35.187.13.22 Sonde port 3155/TCP 20/06/2026 09:25 UTC
34.77.191.38 Sonde port 12166/TCP 20/06/2026 09:25 UTC
34.14.21.193 Sonde port 9156/TCP 20/06/2026 09:24 UTC
34.78.120.132 Sonde port 9550/TCP 20/06/2026 09:24 UTC
147.185.133.62 Sonde PostgreSQL 20/06/2026 09:24 UTC
35.187.97.175 Sonde port 21243/TCP 20/06/2026 09:23 UTC
34.78.243.65 Sonde port 8171/TCP 20/06/2026 09:23 UTC
34.79.87.63 Sonde port 9200/TCP 20/06/2026 09:23 UTC

Événements (filtres)

854

Première observation

15/06/2026 22:19 UTC

Dernière observation

15/06/2026 22:19 UTC

Dernière activité (filtres)

15/06/2026 22:19 UTC

Événements 7j

854

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 427 TLS TCP 427

HTTP

427

TLS

427

Géolocalisation

Origine réseau déclarée

Inde unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 9003 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

http flood · via HTTP:9003 · (tentative d'exploit) · → /mailer/sendgrid.php

Détails protocole

Méthode: GET
Chemin: /mailer/sendgrid.php
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11;

Aperçu payload

GET /mailer/sendgrid.php HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo

Port / service

9003 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 100 % — 3 tag(s) WAF

Technique MITRE

T1499

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1499 Upstream Waf Score

Confiance

100% Corrélation +8

Famille de menace

ddos

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

854 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

854 événement(s) — page 2/18

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /app/config/parameters.yaml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app/config/parameters.yaml UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /app/config/parameters.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /app/config/parameters.yaml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/config/parameters.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app/config/parameters.yaml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) App Requête brute (extrait) GET /app/config/parameters.yaml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yaml", "http_ua_hash": "1e8c9428b01729bcd464c1cd2788559f9087a58c", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "83aab3d7a9203cac49bf41e0b5a1c79c704b2790", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 266, "payload_entropy": 5.416105357090953, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "769b6667e91c769c29ac36a4f27dbc4c3d434c3d", "event_fingerprint": "cbc7e660e6ecb6f54191c717daf1251719c77f44", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1964b550c560693fb130866495e6d05e", "payload_hash": "ea061b5ecfabc923c19bf7073e3e4dd3", "path_pattern_hash": "8c6e5c3e505e4438940b3e0a90e2956a" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) App", "method": "GET", "path": "\/app\/config\/parameters.yaml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yaml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:", "payload_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) App", "evidence": { "method": "GET", "path": "\/app\/config\/parameters.yaml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yaml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:", "payload_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) App", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1367c1523a72641256e2b15f2df22c9a446ba855", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yaml", "request_line": "GET \/app\/config\/parameters.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) App", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config\/parameters.yaml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yaml", "request_line": "GET \/app\/config\/parameters.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config\/parameters.yaml", "evidence_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) App", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /project/settings.py	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /project/settings.py UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /project/settings.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /project/settings.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Django settings Ligne de requête `GET /project/settings.py HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /project/settings.py HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKi Requête brute (extrait) GET /project/settings.py HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "9c13b6dab7303dae49a7e44b7031f9ec3d0ff95e", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "11966cc72e0bfecaa733acc41e44392e18b681e0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.3219581121664525, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "769b6667e91c769c29ac36a4f27dbc4c3d434c3d", "event_fingerprint": "3f2042586bdee8096012cb9e9baa9b8f64cc6ab3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0112" ], "matched_pattern_names": [ "LFI Django settings" ], "pattern_ids": [ "pat-0112" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6f4c72431b4e527337b8f202b7b65146", "payload_hash": "9d6be3f47d86fefddf6db343bbd481f7", "path_pattern_hash": "c29c8a7c1efc84947f863a90ed9e7db7" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKi", "method": "GET", "path": "\/project\/settings.py", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1.2 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/project\/settings.py HTTP\/1.1", "request_sample": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKi", "evidence": { "method": "GET", "path": "\/project\/settings.py", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1.2 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/project\/settings.py HTTP\/1.1", "request_sample": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKi", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "022597b7bba0ab73707ea0cd0ecc748b7a59a1c3", "protocol_details": { "http_method": "GET", "http_path": "\/project\/settings.py", "request_line": "GET \/project\/settings.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1.2 Safari\/605.1.15", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKi", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/project\/settings.py", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/project\/settings.py", "request_line": "GET \/project\/settings.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1.2 Safari\/605.1.15", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/project\/settings.py", "evidence_snippet": "GET \/project\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKi", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /core/settings.py	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /core/settings.py UA Mozilla/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit/537.… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_core Cible HTTP GET /core/settings.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /core/settings.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Django settings Ligne de requête `GET /core/settings.py HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /core/settings.py HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit/53 Requête brute (extrait) GET /core/settings.py HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "8b61b4276830ed7f7c0617ffeb8a8065cb2b4742", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "c07bd471de5a4ef5ce7e0f7af89cdd9467cb3bb4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 263, "payload_entropy": 5.409867093219546, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "e29caff51c5cb2f06c23eff5ee77bede6b6686c8", "event_fingerprint": "ee2c761cd0043fb061b44ca5184ccd049555ffee", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0112" ], "matched_pattern_names": [ "LFI Django settings" ], "pattern_ids": [ "pat-0112" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "71e0e2d7ffc2bcd780ecfbc3a73f8ab2", "payload_hash": "5361a2240f7bf945b952f255e1122a18", "path_pattern_hash": "4090a1b4b48d7fc38d1ad38e6bee359c" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/53", "method": "GET", "path": "\/core\/settings.py", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/core\/settings.py HTTP\/1.1", "request_sample": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/core\/settings.py", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/core\/settings.py HTTP\/1.1", "request_sample": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/53", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "574f10e2ba2a9234a59b66a601e5a4def5f857fb", "protocol_details": { "http_method": "GET", "http_path": "\/core\/settings.py", "request_line": "GET \/core\/settings.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safar\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/53", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/core\/settings.py", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/core\/settings.py", "request_line": "GET \/core\/settings.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safar\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/core\/settings.py", "evidence_snippet": "GET \/core\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/53", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_core", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /settings/production.py	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /settings/production.py UA Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleW… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_settings Cible HTTP GET /settings/production.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /settings/production.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /settings/production.py HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.464.0 Safari/534.3 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /settings/production.py HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US Requête brute (extrait) GET /settings/production.py HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.464.0 Safari/534.3 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "d733ed21837b2d81f996cc3263203a4984a5d5dc", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "cc6b445184452f6e13afcdd1d02a9b366ff0376c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 266, "payload_entropy": 5.38260055957982, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "5ef72b3ae06070efb840ec62f002d63dbe6e8a20", "event_fingerprint": "751c8329e0fd0d6f8364f0afd4713370105d1ab8", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2480ac48c699fcac58c2adf504f6f4a", "payload_hash": "bc9e9777e5124f8fe253fa0c5855b478", "path_pattern_hash": "c348ef618ef0bfa50ce56f012c84455f" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US", "method": "GET", "path": "\/settings\/production.py", "user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit\/534.3 (KHTML, like Gecko) Chrome\/6.0.464.0 Safari\/534.3", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings\/production.py HTTP\/1.1", "request_sample": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit\/534.3 (KHTML, like Gecko) Chrome\/6.0.464.0 Safari\/534.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:", "payload_snippet": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US", "evidence": { "method": "GET", "path": "\/settings\/production.py", "user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit\/534.3 (KHTML, like Gecko) Chrome\/6.0.464.0 Safari\/534.3", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings\/production.py HTTP\/1.1", "request_sample": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit\/534.3 (KHTML, like Gecko) Chrome\/6.0.464.0 Safari\/534.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:", "payload_snippet": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "efa6d8278ff0418addc2c04ec2ec246e8826e9fa", "protocol_details": { "http_method": "GET", "http_path": "\/settings\/production.py", "request_line": "GET \/settings\/production.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit\/534.3 (KHTML, like Gecko) Chrome\/6.0.464.0 Safari\/\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings\/production.py", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/settings\/production.py", "request_line": "GET \/settings\/production.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit\/534.3 (KHTML, like Gecko) Chrome\/6.0.464.0 Safari\/\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings\/production.py", "evidence_snippet": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_settings", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /storage/logs/laravel.log	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /storage/logs/laravel.log UA Mozilla/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Bui… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /storage/logs/laravel.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /storage/logs/laravel.log Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Laravel log Ligne de requête `GET /storage/logs/laravel.log HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Build/R1AA056) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /storage/logs/laravel.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; U; Android 1.6; en-us; SonyEricss Requête brute (extrait) GET /storage/logs/laravel.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Build/R1AA056) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Accept-Charset: utf-8 Accept Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "log", "http_ua_hash": "81bf066f0e8b4121046beb1cd806204bd2d379f7", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "8fec6092b6d50f048de7f5341eb923ae4a4ab6d3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 294, "payload_entropy": 5.366502343615386, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "6c705c9e10733a62d25fdab389dd9e1354ac091b", "event_fingerprint": "550a7195e028ceae6e355a759a96535ccb03f943", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0124" ], "matched_pattern_names": [ "LFI Laravel log" ], "pattern_ids": [ "pat-0124" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5d11d0a23bb001075f37a6bd6babbf05", "payload_hash": "9d22c52c4b2ec0b01f172e01c7d3eebb", "path_pattern_hash": "6f29914bb94c22caf991d0657dba887c" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyEricss", "method": "GET", "path": "\/storage\/logs\/laravel.log", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Build\/R1AA056) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/storage\/logs\/laravel.log HTTP\/1.1", "request_sample": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Build\/R1AA056) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept", "payload_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyEricss", "evidence": { "method": "GET", "path": "\/storage\/logs\/laravel.log", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Build\/R1AA056) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/storage\/logs\/laravel.log HTTP\/1.1", "request_sample": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Build\/R1AA056) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept", "payload_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyEricss", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a4f4d48edd792faa197db57f7323180ca0e16652", "protocol_details": { "http_method": "GET", "http_path": "\/storage\/logs\/laravel.log", "request_line": "GET \/storage\/logs\/laravel.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Build\/R1AA056) AppleWebKit\/528.5 (KHTML, like Gecko) Versi\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyEricss", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/storage\/logs\/laravel.log", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/storage\/logs\/laravel.log", "request_line": "GET \/storage\/logs\/laravel.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyEricssonX10i Build\/R1AA056) AppleWebKit\/528.5 (KHTML, like Gecko) Versi\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/storage\/logs\/laravel.log", "evidence_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; en-us; SonyEricss", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:9003 · (tentative d'exploit) · → /wp-config.php.old	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /wp-config.php.old UA Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/… Émulateur HTTP WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950518:leak-5 950521:leak-8 Cible HTTP GET /wp-config.php.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /wp-config.php.old Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0195 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 933111 Probe /wp-config.php Ligne de requête `GET /wp-config.php.old HTTP/1.1` User-Agent Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920) Règles WAF rce-0 nosqli-3 leak-5 leak-8 Payload (extrait) GET /wp-config.php.old HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Tride Requête brute (extrait) GET /wp-config.php.old HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "old", "http_ua_hash": "66bf6be33056e8f35755e11f4c4aad2bc4346360", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "24c516a67db44cfad409a699aaddb7e13edd5983", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 249, "payload_entropy": 5.336790856731727, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 8, "anomaly_count": 0, "campaign_key": "9e211dcbbb905d59535b136f0fca752dd7f9a7c5", "event_fingerprint": "033683013a27b2a829c9d0863e68ee0bbddc8fae", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0160", "pat-0195" ], "matched_pattern_names": [ "CRS 933111", "Probe \/wp-config.php" ], "pattern_ids": [ "pat-0160", "pat-0195" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "df0022ea60c8c650bbc2a661d81056b7", "payload_hash": "810ac55521c6f81d11ab6a63463b7c5e", "path_pattern_hash": "5fcd528564d98f34a98115294a2df668" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Tride", "method": "GET", "path": "\/wp-config.php.old", "user_agent": "Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0; IEMobile\/10.0; ARM; Touch; NOKIA; Lumia 920)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5", "leak-8" ], "request_line": "GET \/wp-config.php.old HTTP\/1.1", "request_sample": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0; IEMobile\/10.0; ARM; Touch; NOKIA; Lumia 920)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Tride", "evidence": { "method": "GET", "path": "\/wp-config.php.old", "user_agent": "Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0; IEMobile\/10.0; ARM; Touch; NOKIA; Lumia 920)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5", "leak-8" ], "request_line": "GET \/wp-config.php.old HTTP\/1.1", "request_sample": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0; IEMobile\/10.0; ARM; Touch; NOKIA; Lumia 920)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Tride", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6e637e82c696b7ca936f9088b2a6082f32593370", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.old", "request_line": "GET \/wp-config.php.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0; IEMobile\/10.0; ARM; Touch; NOKIA; Lumia 920)", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Tride", "attack_vector": "config file probe \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php.old", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0195", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.old", "request_line": "GET \/wp-config.php.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0; IEMobile\/10.0; ARM; Touch; NOKIA; Lumia 920)", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php.old", "evidence_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Tride", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /system/application/config/database.php	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /system/application/config/database.php UA Mozilla/5.0 (Linux; Android 9; MI 9) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /system/application/config/database.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /system/application/config/database.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /system/application/config/database.php HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; MI 9) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /system/application/config/database.php HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 9; MI 9) Ap Requête brute (extrait) GET /system/application/config/database.php HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 9; MI 9) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Co Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "php", "http_ua_hash": "637ce5322bb77a61de6800d960f9df95080fd8e7", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "24e56dc80b8c9895dd6363dc3d163c6ca2669cf7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 275, "payload_entropy": 5.382973845298224, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "769b6667e91c769c29ac36a4f27dbc4c3d434c3d", "event_fingerprint": "d484e28cb472dc576304691e43a98b76e37d9713", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d14870c6fbb2acb77d15af60a1d43119", "payload_hash": "4266524d9554af8cb1d7fd863a076a36", "path_pattern_hash": "70f588a640b3de59a5428f938c259cab" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/system\/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) Ap", "method": "GET", "path": "\/system\/application\/config\/database.php", "user_agent": "Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/system\/application\/config\/database.php HTTP\/1.1", "request_sample": "GET \/system\/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "payload_snippet": "GET \/system\/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) Ap", "evidence": { "method": "GET", "path": "\/system\/application\/config\/database.php", "user_agent": "Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/system\/application\/config\/database.php HTTP\/1.1", "request_sample": "GET \/system\/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "payload_snippet": "GET \/system\/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) Ap", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "957e4d4e0b12e6c09a136d23edcefab2adfc8dab", "protocol_details": { "http_method": "GET", "http_path": "\/system\/application\/config\/database.php", "request_line": "GET \/system\/application\/config\/database.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/system\/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) Ap", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/system\/application\/config\/database.php", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/system\/application\/config\/database.php", "request_line": "GET \/system\/application\/config\/database.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; MI 9) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/system\/application\/config\/database.php", "evidence_snippet": "GET \/system\/application\/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 9) Ap", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /WEB-INF/context.xml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /WEB-INF/context.xml UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /WEB-INF/context.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /WEB-INF/context.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /WEB-INF/context.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 YaBrowser/19.3.1.828 Yowser/2.5 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /WEB-INF/context.xml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (K Requête brute (extrait) GET /WEB-INF/context.xml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 YaBrowser/19.3.1.828 Yowser/2.5 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gz Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "d4fd643349e1d6526e7d0cab0c15dbb179c43a94", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "f96fa52b403933e653406cfbc2173d513c6762a6", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 281, "payload_entropy": 5.498409217988149, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "769b6667e91c769c29ac36a4f27dbc4c3d434c3d", "event_fingerprint": "c5b7f0991bc654df93050e0e1e98293fb30a591d", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ad79bbcc69575186f2ed0fd22d8f9f71", "payload_hash": "f83c4023a366674fdb6b317d4794bc5d", "path_pattern_hash": "0cc3084c1a2704ec60a7fbee65b65cb2" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/WEB-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/WEB-INF\/context.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 YaBrowser\/19.3.1.828 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/WEB-INF\/context.xml HTTP\/1.1", "request_sample": "GET \/WEB-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 YaBrowser\/19.3.1.828 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "payload_snippet": "GET \/WEB-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/WEB-INF\/context.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 YaBrowser\/19.3.1.828 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/WEB-INF\/context.xml HTTP\/1.1", "request_sample": "GET \/WEB-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 YaBrowser\/19.3.1.828 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "payload_snippet": "GET \/WEB-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f74d09841eb5b36ee2a8105af36fc32c7feb1538", "protocol_details": { "http_method": "GET", "http_path": "\/WEB-INF\/context.xml", "request_line": "GET \/WEB-INF\/context.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 YaBrowser\/19.3.1.828 Y\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/WEB-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/WEB-INF\/context.xml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/WEB-INF\/context.xml", "request_line": "GET \/WEB-INF\/context.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 YaBrowser\/19.3.1.828 Y\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/WEB-INF\/context.xml", "evidence_snippet": "GET \/WEB-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /.idea/dataSources.xml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.idea/dataSources.xml UA Mozilla/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gec… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.idea/dataSources.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.idea/dataSources.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.idea/ Ligne de requête `GET /.idea/dataSources.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko/20040614 Firefox/3.0.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.idea/dataSources.xml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2. Requête brute (extrait) GET /.idea/dataSources.xml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko/20040614 Firefox/3.0.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "5183b59b571299ee1872f519219bf4c67961b483", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "d8b4f1d4ad149f189f1e83b2ee85c58600df146c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 229, "payload_entropy": 5.305815665860052, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "769b6667e91c769c29ac36a4f27dbc4c3d434c3d", "event_fingerprint": "fbd106cdae0e488fedb8cf77def1992aa85c74aa", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0226" ], "matched_pattern_names": [ "Probe \/.idea\/" ], "pattern_ids": [ "pat-0226" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b6c9ae6675288a92970bda0849a8ccbb", "payload_hash": "0885fcffe7ebe4bec9ea47f66265a2eb", "path_pattern_hash": "45b1a6f2cf9945ad18514ad77ffdd93e" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.", "method": "GET", "path": "\/.idea\/dataSources.xml", "user_agent": "Mozilla\/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko\/20040614 Firefox\/3.0.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/dataSources.xml HTTP\/1.1", "request_sample": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko\/20040614 Firefox\/3.0.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.", "evidence": { "method": "GET", "path": "\/.idea\/dataSources.xml", "user_agent": "Mozilla\/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko\/20040614 Firefox\/3.0.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/dataSources.xml HTTP\/1.1", "request_sample": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko\/20040614 Firefox\/3.0.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3293efba4f817e0d5c97c4e72048f4a3934d0c42", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/dataSources.xml", "request_line": "GET \/.idea\/dataSources.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko\/20040614 Firefox\/3.0.0", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/dataSources.xml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/dataSources.xml", "request_line": "GET \/.idea\/dataSources.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko\/20040614 Firefox\/3.0.0", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/dataSources.xml", "evidence_snippet": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /.idea/workspace.xml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.idea/workspace.xml UA Mozilla/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Bu… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.idea/workspace.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.idea/workspace.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.idea/ Ligne de requête `GET /.idea/workspace.xml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.idea/workspace.xml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Tou Requête brute (extrait) GET /.idea/workspace.xml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Accept-Charset: utf-8 Accept-Enc Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "d7524cb8f6bca20d6e635bf54e6b08baad462745", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "dcd10abd9e64a56ef60f2096a44fceab68d89da5", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 290, "payload_entropy": 5.415816097893007, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "769b6667e91c769c29ac36a4f27dbc4c3d434c3d", "event_fingerprint": "8a18d45ff831c42f30fcdfe4de664021d24bdbf5", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0226" ], "matched_pattern_names": [ "Probe \/.idea\/" ], "pattern_ids": [ "pat-0226" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1a12f49730945b9c394ae9871edf3a4f", "payload_hash": "57bebd0c691c44d5e98bff03365b4f89", "path_pattern_hash": "5704ec26c04e317ce2b2911c876a5465" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Tou", "method": "GET", "path": "\/.idea\/workspace.xml", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/workspace.xml HTTP\/1.1", "request_sample": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Enc", "payload_snippet": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Tou", "evidence": { "method": "GET", "path": "\/.idea\/workspace.xml", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/workspace.xml HTTP\/1.1", "request_sample": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Enc", "payload_snippet": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Tou", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6de9787306d78a60f88416d1caaa58e4eee6522d", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/workspace.xml", "request_line": "GET \/.idea\/workspace.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Vers\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Tou", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/workspace.xml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/workspace.xml", "request_line": "GET \/.idea\/workspace.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Vers\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/workspace.xml", "evidence_snippet": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Tou", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /WEB-INF/web.xml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /WEB-INF/web.xml UA Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /WEB-INF/web.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /WEB-INF/web.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Java WEB-INF disclosure Ligne de requête `GET /WEB-INF/web.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /WEB-INF/web.xml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /WEB-INF/web.xml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "406c0b0894354088d8f5982fc3e45e9b602445dc", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "294983df7ad5a41b7a3548dc9a0ed2f5cf075040", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 244, "payload_entropy": 5.496009752221258, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "769b6667e91c769c29ac36a4f27dbc4c3d434c3d", "event_fingerprint": "ba6f63204e2beedbec8a3f608221f9fe48c57009", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0122" ], "matched_pattern_names": [ "LFI Java WEB-INF disclosure" ], "pattern_ids": [ "pat-0122" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2c6275f92d78f4160016553bf98a3723", "payload_hash": "45b7127c969fe940eb48fb6ae40e10f5", "path_pattern_hash": "2d380bdeba64643ea1e25f4789b575b6" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/WEB-INF\/web.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/WEB-INF\/web.xml", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/WEB-INF\/web.xml HTTP\/1.1", "request_sample": "GET \/WEB-INF\/web.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/WEB-INF\/web.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/WEB-INF\/web.xml", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/WEB-INF\/web.xml HTTP\/1.1", "request_sample": "GET \/WEB-INF\/web.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/WEB-INF\/web.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2c7f8bb3183fccf05641ef40dd405f4592c4591c", "protocol_details": { "http_method": "GET", "http_path": "\/WEB-INF\/web.xml", "request_line": "GET \/WEB-INF\/web.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/WEB-INF\/web.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/WEB-INF\/web.xml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/WEB-INF\/web.xml", "request_line": "GET \/WEB-INF\/web.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/WEB-INF\/web.xml", "evidence_snippet": "GET \/WEB-INF\/web.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /META-INF/context.xml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /META-INF/context.xml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /META-INF/context.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /META-INF/context.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /META-INF/context.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /META-INF/context.xml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /META-INF/context.xml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "43e4b0179faf26f5e73f9a782deef3b6a3d8046e", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "3986bf7cda9cc4c51e53512817fc8584b30172b0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.45717489213118, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "769b6667e91c769c29ac36a4f27dbc4c3d434c3d", "event_fingerprint": "9ad2ef10ffa7bd548cbd4dbf546a3482ae05d769", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "70bf21fb1ce09d0c48dddb280b358e18", "payload_hash": "f816f88436b7b5676262d44deb50c331", "path_pattern_hash": "30f764f600e5073ae934f34b2b98acc2" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "method": "GET", "path": "\/META-INF\/context.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.108 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/META-INF\/context.xml HTTP\/1.1", "request_sample": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.108 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/META-INF\/context.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.108 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/META-INF\/context.xml HTTP\/1.1", "request_sample": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.108 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "007cf02295b1b246e852d97e199cd59a4e44d6ec", "protocol_details": { "http_method": "GET", "http_path": "\/META-INF\/context.xml", "request_line": "GET \/META-INF\/context.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.108 Safari\/537.36", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/META-INF\/context.xml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/META-INF\/context.xml", "request_line": "GET \/META-INF\/context.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.108 Safari\/537.36", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/META-INF\/context.xml", "evidence_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /WEB-INF/classes/application.properties	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /WEB-INF/classes/application.properties UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /WEB-INF/classes/application.properties TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /WEB-INF/classes/application.properties Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /WEB-INF/classes/application.properties HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /WEB-INF/classes/application.properties HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X Requête brute (extrait) GET /WEB-INF/classes/application.properties HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "properties", "http_ua_hash": "12e61ede4f75e40b24f2a993128b866dcbbd1476", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "10b2e06ee448a350a7e1543add2e5ae160c495e4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 277, "payload_entropy": 5.359805823302083, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "769b6667e91c769c29ac36a4f27dbc4c3d434c3d", "event_fingerprint": "5d0f446edc57151df322e7127caf08dc36e21ec3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c4309eabdc0307906b00671cce766eeb", "payload_hash": "6bd6427013b73ec83d1a07a87faceb10", "path_pattern_hash": "f8e656368886c0ce42a00ebbaba2414b" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X ", "method": "GET", "path": "\/WEB-INF\/classes\/application.properties", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.3 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1", "request_sample": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.3 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\n", "payload_snippet": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X", "evidence": { "method": "GET", "path": "\/WEB-INF\/classes\/application.properties", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.3 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1", "request_sample": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.3 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\n", "payload_snippet": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c8fce5f82a145998217720b758abb67f31615505", "protocol_details": { "http_method": "GET", "http_path": "\/WEB-INF\/classes\/application.properties", "request_line": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.3 Safari\/605.1.15", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/WEB-INF\/classes\/application.properties", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/WEB-INF\/classes\/application.properties", "request_line": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.3 Safari\/605.1.15", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/WEB-INF\/classes\/application.properties", "evidence_snippet": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:9003 · (tentative d'exploit) · → /internal/secrets.json	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /internal/secrets.json UA Mozilla/5.0 (Linux; Android 8.0.0; SM-A910F) AppleWebKit/537.36… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_k8s_probe Cible HTTP GET /internal/secrets.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /internal/secrets.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux pat-0496 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Secrets JSON file Ligne de requête `GET /internal/secrets.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; SM-A910F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /internal/secrets.json HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-A910F) AppleWebKit Requête brute (extrait) GET /internal/secrets.json HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-A910F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "56a3ab03f7579d16d2a6074f1c85ff91d84df30b", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "e7406b4d8f1796ab257c40ae6f6c0b897e45a189", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 266, "payload_entropy": 5.376018407521878, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "6744d10676255bef4a6dcc0d7fd28a051112cc11", "event_fingerprint": "9f4c8e17fb25b36034cca57c972d94d18340d393", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0496" ], "matched_pattern_names": [ "Cred Secrets JSON file" ], "pattern_ids": [ "pat-0496" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "621dcd8745d0cdf50bf6435ef34b4e08", "payload_hash": "10765d98f5bdd88c4960b4bf669a55c5", "path_pattern_hash": "d62c78f7ba64ca452bd03619c00c7af4" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/internal\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-A910F) AppleWebKit", "method": "GET", "path": "\/internal\/secrets.json", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-A910F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/internal\/secrets.json HTTP\/1.1", "request_sample": "GET \/internal\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-A910F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:", "payload_snippet": "GET \/internal\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-A910F) AppleWebKit", "evidence": { "method": "GET", "path": "\/internal\/secrets.json", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-A910F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/internal\/secrets.json HTTP\/1.1", "request_sample": "GET \/internal\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-A910F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:", "payload_snippet": "GET \/internal\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-A910F) AppleWebKit", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "83688e5e6670a6dca965f614a37a30c562d628dd", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/secrets.json", "request_line": "GET \/internal\/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-A910F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/internal\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-A910F) AppleWebKit", "attack_vector": "credential file probe \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/secrets.json", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0496", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/internal\/secrets.json", "request_line": "GET \/internal\/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-A910F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/internal\/secrets.json", "evidence_snippet": "GET \/internal\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-A910F) AppleWebKit", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_k8s_probe", "http_probe_internal", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:9003 · (tentative d'exploit) · → /private/secrets.json	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /private/secrets.json UA Mozilla/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build/CUPCA… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_k8s_probe Cible HTTP GET /private/secrets.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /private/secrets.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux pat-0496 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Secrets JSON file Ligne de requête `GET /private/secrets.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /private/secrets.json HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build Requête brute (extrait) GET /private/secrets.json HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Accept-Charset: utf-8 Accept-Encoding: g Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "b6fa98db0d1c97766644fa8d3880dbf6a9144a2d", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "1a592bf2c5d0fa0649bfef76bf43dc28f3f43a27", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 282, "payload_entropy": 5.383288717672155, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "e6958453d244c0157cbfbc38cf25e7dc8a2718b2", "event_fingerprint": "8b6ec6f2de4cc30ac9c390f1f3c648634e3d13c8", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0496" ], "matched_pattern_names": [ "Cred Secrets JSON file" ], "pattern_ids": [ "pat-0496" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2f44c9e3f91168287cbac7140756ad82", "payload_hash": "789e37c02896b785ec678f5594ec58b9", "path_pattern_hash": "28bdca9eb7d8c2f1408ad5c40bac8497" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/private\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build", "method": "GET", "path": "\/private\/secrets.json", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private\/secrets.json HTTP\/1.1", "request_sample": "GET \/private\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "payload_snippet": "GET \/private\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build", "evidence": { "method": "GET", "path": "\/private\/secrets.json", "user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private\/secrets.json HTTP\/1.1", "request_sample": "GET \/private\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "payload_snippet": "GET \/private\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "45e799f411aa81ca450b1561d35f2f7c32f1faf2", "protocol_details": { "http_method": "GET", "http_path": "\/private\/secrets.json", "request_line": "GET \/private\/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/private\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build", "attack_vector": "credential file probe \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private\/secrets.json", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0496", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/private\/secrets.json", "request_line": "GET \/private\/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private\/secrets.json", "evidence_snippet": "GET \/private\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-us; SPH-M900 Build", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_k8s_probe", "http_probe_private", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /.idea/dataSources.local.xml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.idea/dataSources.local.xml UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.idea/dataSources.local.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.idea/dataSources.local.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.idea/ Ligne de requête `GET /.idea/dataSources.local.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.idea/dataSources.local.xml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) Ap Requête brute (extrait) GET /.idea/dataSources.local.xml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connectio Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "dbe7d8dc93a8b275e4328e5cb21ffaad48fc82a0", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "69f35c14ff491b04a05fe95ac539edbead309c12", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 268, "payload_entropy": 5.41216938315607, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "769b6667e91c769c29ac36a4f27dbc4c3d434c3d", "event_fingerprint": "a4de251db47953acb4cd7cd072dbc7ce8b565287", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0226" ], "matched_pattern_names": [ "Probe \/.idea\/" ], "pattern_ids": [ "pat-0226" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b3bb57b2cc8036afbd3d065bf03de9df", "payload_hash": "4223501cfa301d35f65ea6d346c41777", "path_pattern_hash": "921ea8e3058ced1425d3fb1a6683e728" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) Ap", "method": "GET", "path": "\/.idea\/dataSources.local.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/dataSources.local.xml HTTP\/1.1", "request_sample": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) Ap", "evidence": { "method": "GET", "path": "\/.idea\/dataSources.local.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/dataSources.local.xml HTTP\/1.1", "request_sample": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) Ap", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ee225ca910ef1e0cb7b75788fdf0bec906fbcb41", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/dataSources.local.xml", "request_line": "GET \/.idea\/dataSources.local.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) Ap", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/dataSources.local.xml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/dataSources.local.xml", "request_line": "GET \/.idea\/dataSources.local.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/dataSources.local.xml", "evidence_snippet": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) Ap", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /.drone.yml	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.drone.yml UA Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gec… Émulateur HTTP WAF 6 Recommandation Investiguer Tags 950470:nosqli-3 net_flood Cible HTTP GET /.drone.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.drone.yml Service HTTP Pourquoi cette classification : Tags WAF: nosqli-3 · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Signaux MITRE-T1499 Upstream Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.drone.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3 Règles WAF nosqli-3 Payload (extrait) GET /.drone.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Requête brute (extrait) GET /.drone.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "e576e94dad83cd52177cb9ef926a3d4095dd883d", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "1954ac9283af903ae4a6de319bd93df245fb035e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 228, "payload_entropy": 5.344511461832195, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 32, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 2, "anomaly_count": 0, "campaign_key": "eed68c1d82b6ccb2f3ebf0a5631fdd3e5615b515", "event_fingerprint": "68a91d54841b6d1e3914ff8168cbb7b1d2905df8", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "MITRE-T1499", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream" ], "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "28b5a0abf8f5a3dc2974b5b5cc32be49", "payload_hash": "e4b1bab1c97630f43eef5b4cd7ed121d", "path_pattern_hash": "f74d63edd884e7a9299ad52f54b46b61" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML, like Gecko) ", "method": "GET", "path": "\/.drone.yml", "user_agent": "Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML, like Gecko) Chrome\/19.0.1061.1 Safari\/536.3", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/.drone.yml HTTP\/1.1", "request_sample": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML, like Gecko) Chrome\/19.0.1061.1 Safari\/536.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML, like Gecko)", "evidence": { "method": "GET", "path": "\/.drone.yml", "user_agent": "Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML, like Gecko) Chrome\/19.0.1061.1 Safari\/536.3", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/.drone.yml HTTP\/1.1", "request_sample": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML, like Gecko) Chrome\/19.0.1061.1 Safari\/536.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML, like Gecko)", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "398506868d300b629f2a518bde371941595d4782", "protocol_details": { "http_method": "GET", "http_path": "\/.drone.yml", "request_line": "GET \/.drone.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML, like Gecko) Chrome\/19.0.1061.1 Safari\/536.3", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML, like Gecko)", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.drone.yml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.drone.yml", "request_line": "GET \/.drone.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML, like Gecko) Chrome\/19.0.1061.1 Safari\/536.3", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.drone.yml", "evidence_snippet": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML, like Gecko)", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /.travis.yml	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.travis.yml UA Mozilla/5.0 (Linux; Android 7.0; LG-H820) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /.travis.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.travis.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.travis.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; LG-H820) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.travis.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 7.0; LG-H820) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /.travis.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 7.0; LG-H820) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "17e7dc526aeb226ca9786705d6ec1916e1516352", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "0f539eb712332002814a106c4304479b90529490", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.421619680562169, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "57a602dc0a2d60b7d2955390f951c2f125ab353a", "event_fingerprint": "95b8fbe77e6a50e27e9670d2e01f8753cae782ad", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0b620cfff50f90a92478e284ba8cdfb4", "payload_hash": "8af4c50681268f8d3240357976c12d0e", "path_pattern_hash": "31215e4931d9a8bb956098a35abb0b27" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H820) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/.travis.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LG-H820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.travis.yml HTTP\/1.1", "request_sample": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H820) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/.travis.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LG-H820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.travis.yml HTTP\/1.1", "request_sample": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H820) AppleWebKit\/537.36 (KHTM", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5b48c34e3aa0b6a860ec21a65f4da236a4c9d5f7", "protocol_details": { "http_method": "GET", "http_path": "\/.travis.yml", "request_line": "GET \/.travis.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LG-H820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H820) AppleWebKit\/537.36 (KHTM", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.travis.yml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.travis.yml", "request_line": "GET \/.travis.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LG-H820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.travis.yml", "evidence_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LG-H820) AppleWebKit\/537.36 (KHTM", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /.vscode/tasks.json	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.vscode/tasks.json UA Opera/9.80 (Android; Opera Mini/7.6.40234/151.113; U; en) Prest… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.vscode/tasks.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.vscode/tasks.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.vscode/ Ligne de requête `GET /.vscode/tasks.json HTTP/1.1` User-Agent Opera/9.80 (Android; Opera Mini/7.6.40234/151.113; U; en) Presto/2.12.423 Version/12.16 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.vscode/tasks.json HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Opera/9.80 (Android; Opera Mini/7.6.40234/151.113; U; en) P Requête brute (extrait) GET /.vscode/tasks.json HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Opera/9.80 (Android; Opera Mini/7.6.40234/151.113; U; en) Presto/2.12.423 Version/12.16 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "39cf8711194d175dc249c64d89a5be41b73cbfc4", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "92e911a3df5ad35698662851e6649fca8b9cc765", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 225, "payload_entropy": 5.212287626552344, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "769b6667e91c769c29ac36a4f27dbc4c3d434c3d", "event_fingerprint": "60397069cb7ec770585d153c597785d28bc2ebd0", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0227" ], "matched_pattern_names": [ "Probe \/.vscode\/" ], "pattern_ids": [ "pat-0227" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "66677e2111bcaebb536729956fa2fae4", "payload_hash": "1f50d61dd66ade7a71c90d741158834e", "path_pattern_hash": "71d0e06039e234c8f571eb83415e4643" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/7.6.40234\/151.113; U; en) P", "method": "GET", "path": "\/.vscode\/tasks.json", "user_agent": "Opera\/9.80 (Android; Opera Mini\/7.6.40234\/151.113; U; en) Presto\/2.12.423 Version\/12.16", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/tasks.json HTTP\/1.1", "request_sample": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/7.6.40234\/151.113; U; en) Presto\/2.12.423 Version\/12.16\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/7.6.40234\/151.113; U; en) P", "evidence": { "method": "GET", "path": "\/.vscode\/tasks.json", "user_agent": "Opera\/9.80 (Android; Opera Mini\/7.6.40234\/151.113; U; en) Presto\/2.12.423 Version\/12.16", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/tasks.json HTTP\/1.1", "request_sample": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/7.6.40234\/151.113; U; en) Presto\/2.12.423 Version\/12.16\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/7.6.40234\/151.113; U; en) P", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4f7c3ca5e6f093e46fd12626e50798a8a919d8cd", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/tasks.json", "request_line": "GET \/.vscode\/tasks.json HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Android; Opera Mini\/7.6.40234\/151.113; U; en) Presto\/2.12.423 Version\/12.16", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/7.6.40234\/151.113; U; en) P", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/tasks.json", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/tasks.json", "request_line": "GET \/.vscode\/tasks.json HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Android; Opera Mini\/7.6.40234\/151.113; U; en) Presto\/2.12.423 Version\/12.16", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/tasks.json", "evidence_snippet": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/7.6.40234\/151.113; U; en) P", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /debug.log	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /debug.log UA Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; DEVICE INFO) Ap… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /debug.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /debug.log Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Debug log disclosure Ligne de requête `GET /debug.log HTTP/1.1` User-Agent Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; DEVICE INFO) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Mobile Safari/537.36 Edge/12.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /debug.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; DEVICE INFO) AppleWe Requête brute (extrait) GET /debug.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; DEVICE INFO) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Mobile Safari/537.36 Edge/12.0 Accept-Charset: utf-8 Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "472f5dbad5a8bd9a6af27304495ad1623951d2cb", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "77d9f648329aebdef206c4b1d63546db6147ce3b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 279, "payload_entropy": 5.457266815168208, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "7e27306b022fc6c5754a7b509ae12579b50344a4", "event_fingerprint": "a42b683420e0255fc4d60ab7e6b064807799bf5a", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0110" ], "matched_pattern_names": [ "LFI Debug log disclosure" ], "pattern_ids": [ "pat-0110" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "500ba59d6f87227a69e9333fc5decbb2", "payload_hash": "c32280c7c07e47efaa7e47fbc349b87d", "path_pattern_hash": "55839acef8bcadd99e7e1a1cdf75a15f" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 10.0; Android 4.2.1; DEVICE INFO) AppleWe", "method": "GET", "path": "\/debug.log", "user_agent": "Mozilla\/5.0 (Windows Phone 10.0; Android 4.2.1; DEVICE INFO) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2171.71 Mobile Safari\/537.36 Edge\/12.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/debug.log HTTP\/1.1", "request_sample": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 10.0; Android 4.2.1; DEVICE INFO) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2171.71 Mobile Safari\/537.36 Edge\/12.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip", "payload_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 10.0; Android 4.2.1; DEVICE INFO) AppleWe", "evidence": { "method": "GET", "path": "\/debug.log", "user_agent": "Mozilla\/5.0 (Windows Phone 10.0; Android 4.2.1; DEVICE INFO) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2171.71 Mobile Safari\/537.36 Edge\/12.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/debug.log HTTP\/1.1", "request_sample": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 10.0; Android 4.2.1; DEVICE INFO) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2171.71 Mobile Safari\/537.36 Edge\/12.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip", "payload_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 10.0; Android 4.2.1; DEVICE INFO) AppleWe", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a07055e58b1081ece50050c13c0c010dd891ab2b", "protocol_details": { "http_method": "GET", "http_path": "\/debug.log", "request_line": "GET \/debug.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows Phone 10.0; Android 4.2.1; DEVICE INFO) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2171.71\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 10.0; Android 4.2.1; DEVICE INFO) AppleWe", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/debug.log", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/debug.log", "request_line": "GET \/debug.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows Phone 10.0; Android 4.2.1; DEVICE INFO) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2171.71\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/debug.log", "evidence_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 10.0; Android 4.2.1; DEVICE INFO) AppleWe", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /.github/workflows/deploy.yml	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.github/workflows/deploy.yml UA Mozilla/5.0 (Linux; Android 9; ANE-LX1) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /.github/workflows/deploy.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.github/workflows/deploy.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.github/workflows/deploy.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ANE-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.github/workflows/deploy.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 9; ANE-LX1) AppleWebK Requête brute (extrait) GET /.github/workflows/deploy.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 9; ANE-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connectio Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "206a1505c3d2cd161df512e2a8c0076f16f0edf8", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "9a980960a1dce8601282270803934f12c1e6c3d4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 268, "payload_entropy": 5.469939347051755, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "e00c65eeb03d1145122535589ef4e40b5a1a74b6", "event_fingerprint": "a68b0841a3bf764f42d10c5f719e105e76f25806", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c31c831c1c3a7f5549c146d9032e0e02", "payload_hash": "4aa91d5597a6e3597d9427b03ddeb19d", "path_pattern_hash": "76cfbca880390f07dc02774a92e03828" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ANE-LX1) AppleWebK", "method": "GET", "path": "\/.github\/workflows\/deploy.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ANE-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ANE-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ANE-LX1) AppleWebK", "evidence": { "method": "GET", "path": "\/.github\/workflows\/deploy.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ANE-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ANE-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ANE-LX1) AppleWebK", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5898348f7e5bf13ad521bf45b934d1da1263ce16", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/deploy.yml", "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ANE-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ANE-LX1) AppleWebK", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/deploy.yml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/deploy.yml", "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ANE-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/deploy.yml", "evidence_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ANE-LX1) AppleWebK", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /.vscode/sftp.json	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.vscode/sftp.json UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.vscode/sftp.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.vscode/sftp.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.vscode/ Ligne de requête `GET /.vscode/sftp.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116 (Edition Campaign 34) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.vscode/sftp.json HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /.vscode/sftp.json HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116 (Edition Campaign 34) Accept-Charset: utf-8 Accept-E Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "d96a66ccbddcb09e6ce6a45f6dd8ef2e2962bbb6", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "a7b754a65cd3a72c45519ffad56ec4883c279ab1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 292, "payload_entropy": 5.437463415823841, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "769b6667e91c769c29ac36a4f27dbc4c3d434c3d", "event_fingerprint": "d7f3ef05966bf3346328f8bd59c0e02c2b0a13fd", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0227" ], "matched_pattern_names": [ "Probe \/.vscode\/" ], "pattern_ids": [ "pat-0227" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "dc765649ca628def36daa9e3b5bee2be", "payload_hash": "62062985d2232026374b73432da90ca3", "path_pattern_hash": "4379ee7559d68deac5f1bf414dd60187" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "method": "GET", "path": "\/.vscode\/sftp.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116 (Edition Campaign 34)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/sftp.json HTTP\/1.1", "request_sample": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116 (Edition Campaign 34)\r\nAccept-Charset: utf-8\r\nAccept-E", "payload_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/.vscode\/sftp.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116 (Edition Campaign 34)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/sftp.json HTTP\/1.1", "request_sample": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116 (Edition Campaign 34)\r\nAccept-Charset: utf-8\r\nAccept-E", "payload_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "51745e5cf5872534fa42e75b0ce285761985be8f", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/sftp.json", "request_line": "GET \/.vscode\/sftp.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/sftp.json", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/sftp.json", "request_line": "GET \/.vscode\/sftp.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/sftp.json", "evidence_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /.drone.yaml	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.drone.yaml UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /.drone.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.drone.yaml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.drone.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.drone.yaml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 Requête brute (extrait) GET /.drone.yaml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "d26e1d61c03aaf3f5f656da37f62db95c9abb313", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "2dde7c7ac3e6a210a636b7b4438f90ddd70a6f86", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 251, "payload_entropy": 5.40625384004387, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "09217d7d687ea21e5c1c0e767c2e21e696c2ccf2", "event_fingerprint": "b69de42c37033d875509282474287d8d706424fe", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f405ad96fd078e94edcb0df4d7b7acb8", "payload_hash": "79ebb94aee2c060cb1ca325fe32468ae", "path_pattern_hash": "375bdd2accbc560de2cef140cdb7ad08" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36", "method": "GET", "path": "\/.drone.yaml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.drone.yaml HTTP\/1.1", "request_sample": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/.drone.yaml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.drone.yaml HTTP\/1.1", "request_sample": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d99303c7188d385b17f8df3eea15b13f17900e0a", "protocol_details": { "http_method": "GET", "http_path": "\/.drone.yaml", "request_line": "GET \/.drone.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.drone.yaml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.drone.yaml", "request_line": "GET \/.drone.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.drone.yaml", "evidence_snippet": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /.github/workflows/ci.yml	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.github/workflows/ci.yml UA Mozilla/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit/537.3… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /.github/workflows/ci.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.github/workflows/ci.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.github/workflows/ci.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.github/workflows/ci.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWe Requête brute (extrait) GET /.github/workflows/ci.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connecti Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "0a43c526d2b7e0a2dfbd0cfa361335603fe9127d", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "3ec364769fb4698cfcca7031daf28214f8708060", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 269, "payload_entropy": 5.474930607752271, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "e00c65eeb03d1145122535589ef4e40b5a1a74b6", "event_fingerprint": "66f82f7b73b71b994b45ba57c69b918e5fcd20c7", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bd3d051de151d9c7546bb93161c19229", "payload_hash": "3ac203ee76ac8f476f287e7a63392bad", "path_pattern_hash": "0bac82c8c4461b7e2eb48cd6eaefa7e9" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWe", "method": "GET", "path": "\/.github\/workflows\/ci.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/ci.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWe", "evidence": { "method": "GET", "path": "\/.github\/workflows\/ci.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/ci.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWe", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ea3d97f6e5ce17660ee61ae91fcf8963174c4b28", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/ci.yml", "request_line": "GET \/.github\/workflows\/ci.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWe", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/ci.yml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/ci.yml", "request_line": "GET \/.github\/workflows\/ci.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/ci.yml", "evidence_snippet": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWe", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /.idea/WebServers.xml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.idea/WebServers.xml UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.idea/WebServers.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.idea/WebServers.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.idea/ Ligne de requête `GET /.idea/WebServers.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 YaBrowser/19.7.2.455 Yowser/2.5 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.idea/WebServers.xml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (K Requête brute (extrait) GET /.idea/WebServers.xml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 YaBrowser/19.7.2.455 Yowser/2.5 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gz Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "f7ce96bd7c374c46ea88f4107d82471aff5c9393", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "732626ecbb27c33e1b5cffe507928daff3e1ffcb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 281, "payload_entropy": 5.458437394428598, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "769b6667e91c769c29ac36a4f27dbc4c3d434c3d", "event_fingerprint": "1a0212008626cb3fa79bb410043edc17444efc18", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0226" ], "matched_pattern_names": [ "Probe \/.idea\/" ], "pattern_ids": [ "pat-0226" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "afad000495b25fb36d68911567b040db", "payload_hash": "1a0c5d2e2e40c69fe9b75bcee0c8f75e", "path_pattern_hash": "3ef5b863418297cf1b3afb7572309761" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/.idea\/WebServers.xml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.455 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/WebServers.xml HTTP\/1.1", "request_sample": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.455 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "payload_snippet": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/.idea\/WebServers.xml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.455 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/WebServers.xml HTTP\/1.1", "request_sample": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.455 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gz", "payload_snippet": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (K", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "be5040c36a6ff8a79449894c100f00a834f7482e", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/WebServers.xml", "request_line": "GET \/.idea\/WebServers.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.455 Yo\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (K", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/WebServers.xml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/WebServers.xml", "request_line": "GET \/.idea\/WebServers.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.455 Yo\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/WebServers.xml", "evidence_snippet": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (K", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /azure-pipelines.yml	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /azure-pipelines.yml UA Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.9 (KH… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /azure-pipelines.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /azure-pipelines.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /azure-pipelines.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.9 (KHTML, like Gecko) Chrome/5.0.309.0 Safari/532.9 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /azure-pipelines.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532. Requête brute (extrait) GET /azure-pipelines.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.9 (KHTML, like Gecko) Chrome/5.0.309.0 Safari/532.9 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "c1ae4b60003f39a3e74ef208ba5718aab39003e1", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "8bacf7ba189e1d49695131e01ec30c1752198ab0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.435922983977819, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "57a602dc0a2d60b7d2955390f951c2f125ab353a", "event_fingerprint": "be4c816aa4a88c28e62c6d4f3f33552eb5b0e247", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6cb7a303ee53da313a7fcebc1e8ba18d", "payload_hash": "fc2d39038fde0703d580a57ef6c7f1eb", "path_pattern_hash": "d76578f2ff8c409283f48927713c6e3e" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/532.", "method": "GET", "path": "\/azure-pipelines.yml", "user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/532.9 (KHTML, like Gecko) Chrome\/5.0.309.0 Safari\/532.9", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/azure-pipelines.yml HTTP\/1.1", "request_sample": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/532.9 (KHTML, like Gecko) Chrome\/5.0.309.0 Safari\/532.9\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/532.", "evidence": { "method": "GET", "path": "\/azure-pipelines.yml", "user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/532.9 (KHTML, like Gecko) Chrome\/5.0.309.0 Safari\/532.9", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/azure-pipelines.yml HTTP\/1.1", "request_sample": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/532.9 (KHTML, like Gecko) Chrome\/5.0.309.0 Safari\/532.9\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/532.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "59ef7a055021506c09dae09adc7ebc6ee2ec0054", "protocol_details": { "http_method": "GET", "http_path": "\/azure-pipelines.yml", "request_line": "GET \/azure-pipelines.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/532.9 (KHTML, like Gecko) Chrome\/5.0.309.0 Safari\/532.9", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/532.", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/azure-pipelines.yml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/azure-pipelines.yml", "request_line": "GET \/azure-pipelines.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/532.9 (KHTML, like Gecko) Chrome\/5.0.309.0 Safari\/532.9", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/azure-pipelines.yml", "evidence_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/532.", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /error.log	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /error.log UA Mozilla/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build/KOT49… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /error.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /error.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Error log disclosure Ligne de requête `GET /error.log HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.94 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /error.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build/KOT49H) Ap Requête brute (extrait) GET /error.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.94 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Con Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "63a22d7857e8fbf458d3c716bbd3154c0b5b9302", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "4bf2a42fc3c47a9cd3c9f83a2dcc96b460ea695c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 274, "payload_entropy": 5.469440124977817, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "caf8c98fca8b3e4851c163780a0e9be92eab6d07", "event_fingerprint": "7b48b4d08c7fc2a0cb0e70ca93d1d25e136dd4ab", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0115" ], "matched_pattern_names": [ "LFI Error log disclosure" ], "pattern_ids": [ "pat-0115" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5e506919050a6c76e98fe278e0170eb6", "payload_hash": "eb852f668384cb18cda4faaf470f6aff", "path_pattern_hash": "377fe372f5c11075aea15748100afc0d" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49H) Ap", "method": "GET", "path": "\/error.log", "user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49H) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.94 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/error.log HTTP\/1.1", "request_sample": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49H) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.94 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49H) Ap", "evidence": { "method": "GET", "path": "\/error.log", "user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49H) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.94 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/error.log HTTP\/1.1", "request_sample": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49H) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.94 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49H) Ap", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a251b756cd620b51a409e144897b719eca999d3c", "protocol_details": { "http_method": "GET", "http_path": "\/error.log", "request_line": "GET \/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49H) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.24\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49H) Ap", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/error.log", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/error.log", "request_line": "GET \/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49H) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.24\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/error.log", "evidence_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SAMSUNG-SM-G900A Build\/KOT49H) Ap", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /Jenkinsfile	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /Jenkinsfile UA Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/1… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /Jenkinsfile TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /Jenkinsfile Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /Jenkinsfile HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /Jenkinsfile HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0 Requête brute (extrait) GET /Jenkinsfile HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "0a540c4e158404bf13daf9dab34433773f42270d", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "6196821c9b59b6ceb2d7ccd4d35e939ea59e7ed4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 197, "payload_entropy": 5.251631777006975, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a85d68b183fd3b08edcec62c06b90136ac74e31e", "event_fingerprint": "aae3f51119e7b78a1d7637144ad8467064e49aa4", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "894d186111a59dd4bf59e8ded183ded7", "payload_hash": "f06de752e56b1ce171f20da4142622a3", "path_pattern_hash": "0d4eaf992f1a72b02518b7d952191a55" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "method": "GET", "path": "\/Jenkinsfile", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/Jenkinsfile HTTP\/1.1", "request_sample": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "evidence": { "method": "GET", "path": "\/Jenkinsfile", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/Jenkinsfile HTTP\/1.1", "request_sample": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4b27b45520d819585383147e28806bcb6fc49b44", "protocol_details": { "http_method": "GET", "http_path": "\/Jenkinsfile", "request_line": "GET \/Jenkinsfile HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/Jenkinsfile", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/Jenkinsfile", "request_line": "GET \/Jenkinsfile HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/Jenkinsfile", "evidence_snippet": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /.vscode/settings.json	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.vscode/settings.json UA Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko/2004092… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.vscode/settings.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.vscode/settings.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.vscode/ Ligne de requête `GET /.vscode/settings.json HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko/20040924 Epiphany/1.4.4 (Ubuntu) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.vscode/settings.json HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko/ Requête brute (extrait) GET /.vscode/settings.json HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko/20040924 Epiphany/1.4.4 (Ubuntu) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "616bca6c2b0aa8f8d45a9de706f86b703be609a0", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "8f13238caccb97889bb93a57a58c8206b67c85b5", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 229, "payload_entropy": 5.3592977363048275, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c9807529eeeed39cf15ca416688deba3ee7e5b1a", "event_fingerprint": "a6baa6ce571e064042522c0d095a28613881aada", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0227" ], "matched_pattern_names": [ "Probe \/.vscode\/" ], "pattern_ids": [ "pat-0227" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2787e25ca12e16cb50469fec88cfc9cd", "payload_hash": "7ae5de2dfd228f113accad02ee59d920", "path_pattern_hash": "f5f67949e6b52d5014abefc02d1fe9f6" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/", "method": "GET", "path": "\/.vscode\/settings.json", "user_agent": "Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20040924 Epiphany\/1.4.4 (Ubuntu)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/settings.json HTTP\/1.1", "request_sample": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20040924 Epiphany\/1.4.4 (Ubuntu)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/", "evidence": { "method": "GET", "path": "\/.vscode\/settings.json", "user_agent": "Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20040924 Epiphany\/1.4.4 (Ubuntu)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/settings.json HTTP\/1.1", "request_sample": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20040924 Epiphany\/1.4.4 (Ubuntu)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6134984eca1b7e4a1b1f7518454896ab25a10c40", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/settings.json", "request_line": "GET \/.vscode\/settings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20040924 Epiphany\/1.4.4 (Ubuntu)", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/settings.json", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/settings.json", "request_line": "GET \/.vscode\/settings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/20040924 Epiphany\/1.4.4 (Ubuntu)", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/settings.json", "evidence_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i586; en-US; rv:1.7.3) Gecko\/", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /.vscode/launch.json	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.vscode/launch.json UA Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, l… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.vscode/launch.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.vscode/launch.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.vscode/ Ligne de requête `GET /.vscode/launch.json HTTP/1.1` User-Agent Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.vscode/launch.json HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHT Requête brute (extrait) GET /.vscode/launch.json HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "3c64ad7af30134667cd1abe9baf1eeedbbde2392", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "f955acacb64b027ce0fe999c2601f7358bc4da5a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 223, "payload_entropy": 5.411100084002192, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "769b6667e91c769c29ac36a4f27dbc4c3d434c3d", "event_fingerprint": "641a6612bc740aea9a798074b048a19ba2668959", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0227" ], "matched_pattern_names": [ "Probe \/.vscode\/" ], "pattern_ids": [ "pat-0227" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c9f271f0f1620e144376ce858cd281be", "payload_hash": "c74d7b6a65e6355aeecb66cf6ccb6589", "path_pattern_hash": "2ff6c8576629cb803256f3fb9cd546fa" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHT", "method": "GET", "path": "\/.vscode\/launch.json", "user_agent": "Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/launch.json HTTP\/1.1", "request_sample": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHT", "evidence": { "method": "GET", "path": "\/.vscode\/launch.json", "user_agent": "Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/launch.json HTTP\/1.1", "request_sample": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHT", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "df52c087b3219a3d8dfac2c7b29ee2a58067e437", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/launch.json", "request_line": "GET \/.vscode\/launch.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHT", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/launch.json", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/launch.json", "request_line": "GET \/.vscode\/launch.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/launch.json", "evidence_snippet": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHT", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /.github/workflows/main.yml	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.github/workflows/main.yml UA Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWe… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /.github/workflows/main.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.github/workflows/main.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.github/workflows/main.yml HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/8.0.57838 Mobile/12H321 Safari/600.1.4 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.github/workflows/main.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac O Requête brute (extrait) GET /.github/workflows/main.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) GSA/8.0.57838 Mobile/12H321 Safari/600.1.4 Accept-Charset: utf-8 Accept-Encoding: Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "5dada22dca7c6f14c97a1a0e2ab97f746d9f239e", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "235caf8bc184fcd8b7671c244cc53e88d83bf97b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 284, "payload_entropy": 5.45603705974098, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "e00c65eeb03d1145122535589ef4e40b5a1a74b6", "event_fingerprint": "d0ef141bacc5c9f332a94a3d7273979ded84dc12", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4435cdbf790e0e1db69f3b7306b4ff9b", "payload_hash": "988dddab71832223c41d5f6494164639", "path_pattern_hash": "e05ba7286924149fefd56c25594fa0c5" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac O", "method": "GET", "path": "\/.github\/workflows\/main.yml", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) GSA\/8.0.57838 Mobile\/12H321 Safari\/600.1.4", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/main.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) GSA\/8.0.57838 Mobile\/12H321 Safari\/600.1.4\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "payload_snippet": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac O", "evidence": { "method": "GET", "path": "\/.github\/workflows\/main.yml", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) GSA\/8.0.57838 Mobile\/12H321 Safari\/600.1.4", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/main.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) GSA\/8.0.57838 Mobile\/12H321 Safari\/600.1.4\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "payload_snippet": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac O", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "78ae2d0b4dce9a0b6dec74580b2fce4b62d50457", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/main.yml", "request_line": "GET \/.github\/workflows\/main.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) GSA\/8.0.57838 Mobile\/12\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac O", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/main.yml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/main.yml", "request_line": "GET \/.github\/workflows\/main.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) GSA\/8.0.57838 Mobile\/12\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/main.yml", "evidence_snippet": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac O", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /.gitlab-ci.yml	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.gitlab-ci.yml UA SonyEricssonK810i/R1KG Browser/NetFront/3.3 Profile/MIDP-2.0 Co… Émulateur HTTP WAF 6 Recommandation Investiguer Tags 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /.gitlab-ci.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.gitlab-ci.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.gitlab-ci.yml HTTP/1.1` User-Agent SonyEricssonK810i/R1KG Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 Règles WAF nosqli-3 Payload (extrait) GET /.gitlab-ci.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: SonyEricssonK810i/R1KG Browser/NetFront/3.3 Profile/MIDP-2.0 Co Requête brute (extrait) GET /.gitlab-ci.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: SonyEricssonK810i/R1KG Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "62e5955585854c43724ee6953fa255f665a91654", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "438af05b92495206533fc223d46e511d40c32485", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 217, "payload_entropy": 5.288079252192365, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 32, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6c8b00c9e5d8efa572a10ce6a19479227b561f5a", "event_fingerprint": "54439684aafa7d8822c242dd74cbbb0decfc8a00", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6e2a82c2ef3e04dabf7e19a3959e8b83", "payload_hash": "9f4e676601778e8be22bfdc10bfef4d9", "path_pattern_hash": "1c248e6546ed96558dfcda198b4e61ef" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Co", "method": "GET", "path": "\/.gitlab-ci.yml", "user_agent": "SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "request_sample": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Co", "evidence": { "method": "GET", "path": "\/.gitlab-ci.yml", "user_agent": "SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "request_sample": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Co", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f7782f0b6adfe4bd0b569af36aeea40fd21392a5", "protocol_details": { "http_method": "GET", "http_path": "\/.gitlab-ci.yml", "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "http_user_agent": "SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Co", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitlab-ci.yml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.gitlab-ci.yml", "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "http_user_agent": "SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitlab-ci.yml", "evidence_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Co", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /.github/workflows/production.yml	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.github/workflows/production.yml UA Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.15 (KHT… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /.github/workflows/production.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.github/workflows/production.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.github/workflows/production.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.15 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.613.0 Chrome/10.0.613.0 Safari/534.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.github/workflows/production.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US) Apple Requête brute (extrait) GET /.github/workflows/production.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.15 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.613.0 Chrome/10.0.613.0 Safari/534.15 Accept-Charset: utf-8 Accep Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "1f0a450d278d2de31e98e06067cde95cbba25c83", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "38eaa565ff94c56233c59ea6d104fdaddcc93cea", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 295, "payload_entropy": 5.404163057706009, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "e00c65eeb03d1145122535589ef4e40b5a1a74b6", "event_fingerprint": "398c14cec48c5cb1c19c863c8e53e8bf5aaa28db", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8a2b321c956d64d93fa52f277cdbee9b", "payload_hash": "558586c02921e44b0fd3a24b1b91c00b", "path_pattern_hash": "9eba29b7a547d56eaba268ebadba8373" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) Apple", "method": "GET", "path": "\/.github\/workflows\/production.yml", "user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Ubuntu\/10.10 Chromium\/10.0.613.0 Chrome\/10.0.613.0 Safari\/534.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/production.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Ubuntu\/10.10 Chromium\/10.0.613.0 Chrome\/10.0.613.0 Safari\/534.15\r\nAccept-Charset: utf-8\r\nAccep", "payload_snippet": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) Apple", "evidence": { "method": "GET", "path": "\/.github\/workflows\/production.yml", "user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Ubuntu\/10.10 Chromium\/10.0.613.0 Chrome\/10.0.613.0 Safari\/534.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/production.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Ubuntu\/10.10 Chromium\/10.0.613.0 Chrome\/10.0.613.0 Safari\/534.15\r\nAccept-Charset: utf-8\r\nAccep", "payload_snippet": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) Apple", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "29e02e4754817981ac2b9ed4222e497440dcf9d3", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/production.yml", "request_line": "GET \/.github\/workflows\/production.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Ubuntu\/10.10 Chromium\/10.0.613.0 Chrome\/\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) Apple", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/production.yml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/production.yml", "request_line": "GET \/.github\/workflows\/production.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Ubuntu\/10.10 Chromium\/10.0.613.0 Chrome\/\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/production.yml", "evidence_snippet": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) Apple", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /.idea/deployment.xml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.idea/deployment.xml UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.idea/deployment.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.idea/deployment.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.idea/ Ligne de requête `GET /.idea/deployment.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.idea/deployment.xml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebK Requête brute (extrait) GET /.idea/deployment.xml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "1d272fbe143f2a4115f67b474937c06356908b2c", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "ff773c35f260c28fb8b1bfb4252a50f6e0022b05", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.403159428467085, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "769b6667e91c769c29ac36a4f27dbc4c3d434c3d", "event_fingerprint": "de50f364cbfb5c7ec6ea2a7905b74203d8005756", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0226" ], "matched_pattern_names": [ "Probe \/.idea\/" ], "pattern_ids": [ "pat-0226" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b7328aaa30e34f28893220be545ec39b", "payload_hash": "047706c6f96775b365f0ff62e96cb9fd", "path_pattern_hash": "36b6d965d63f408f7c773a687ac24612" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebK", "method": "GET", "path": "\/.idea\/deployment.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/deployment.xml HTTP\/1.1", "request_sample": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebK", "evidence": { "method": "GET", "path": "\/.idea\/deployment.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/deployment.xml HTTP\/1.1", "request_sample": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebK", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1039b814337b8f95a6dfa8da140a06df67971095", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/deployment.xml", "request_line": "GET \/.idea\/deployment.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebK", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/deployment.xml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/deployment.xml", "request_line": "GET \/.idea\/deployment.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/deployment.xml", "evidence_snippet": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebK", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /app.log	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app.log UA Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.1) Gecko/20090… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /app.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /app.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app.log HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.1) Gecko/20090702 Firefox/3.5 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.1) Gecko/20090702 Fir Requête brute (extrait) GET /app.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.1) Gecko/20090702 Firefox/3.5 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "acf3aeae8cf730c68a5518c7e19d225536608d05", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "bd1d5b79d00a082701f913befabe9ce3bb41a839", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 205, "payload_entropy": 5.3338006455345255, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "caf8c98fca8b3e4851c163780a0e9be92eab6d07", "event_fingerprint": "c7fe825150790bed0fecfc895caee878dd26a79e", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ae006ce924a63831a261c1761632a46e", "payload_hash": "6a9f12df812076382f502798dea90d53", "path_pattern_hash": "705676047b0602f87a6c259c895bc0e9" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.1) Gecko\/20090702 Fir", "method": "GET", "path": "\/app.log", "user_agent": "Mozilla\/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.1) Gecko\/20090702 Firefox\/3.5", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.log HTTP\/1.1", "request_sample": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.1) Gecko\/20090702 Firefox\/3.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.1) Gecko\/20090702 Fir", "evidence": { "method": "GET", "path": "\/app.log", "user_agent": "Mozilla\/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.1) Gecko\/20090702 Firefox\/3.5", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.log HTTP\/1.1", "request_sample": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.1) Gecko\/20090702 Firefox\/3.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.1) Gecko\/20090702 Fir", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "39c2583b3eabeb2fd3622484edafc7c411c8074c", "protocol_details": { "http_method": "GET", "http_path": "\/app.log", "request_line": "GET \/app.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.1) Gecko\/20090702 Firefox\/3.5", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.1) Gecko\/20090702 Fir", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.log", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app.log", "request_line": "GET \/app.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.1) Gecko\/20090702 Firefox\/3.5", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.log", "evidence_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.1) Gecko\/20090702 Fir", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /jenkins/Jenkinsfile	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /jenkins/Jenkinsfile UA Mozilla/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit/537.36… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_jenkins Cible HTTP GET /jenkins/Jenkinsfile TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /jenkins/Jenkinsfile Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /jenkins/Jenkinsfile HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /jenkins/Jenkinsfile HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit/5 Requête brute (extrait) GET /jenkins/Jenkinsfile HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: c Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "78b5ce573f8bf720549aba6289877bc57c1ff5e2", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "171840fe47dfd6f2d76e0b80f11136ea038cbc5d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 264, "payload_entropy": 5.407614929984314, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cbdee8184572a2e196bc24f916e34f19b7e89418", "event_fingerprint": "5706a6de45b7e5ae42d046cc00a70912c3d6cbe8", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "912d30cca638bf5acc269d96a2dbe209", "payload_hash": "5c542160e0c19ab130dddf26f3131a33", "path_pattern_hash": "40125f4f361452a7111c9b4a9dc1dfb2" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/5", "method": "GET", "path": "\/jenkins\/Jenkinsfile", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/jenkins\/Jenkinsfile HTTP\/1.1", "request_sample": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/jenkins\/Jenkinsfile", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/jenkins\/Jenkinsfile HTTP\/1.1", "request_sample": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/5", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f555408c2526173304a9b4f092c25ff0d6952398", "protocol_details": { "http_method": "GET", "http_path": "\/jenkins\/Jenkinsfile", "request_line": "GET \/jenkins\/Jenkinsfile HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/5", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/jenkins\/Jenkinsfile", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/jenkins\/Jenkinsfile", "request_line": "GET \/jenkins\/Jenkinsfile HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/jenkins\/Jenkinsfile", "evidence_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/5", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_jenkins", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /.buildkite/pipeline.yml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.buildkite/pipeline.yml UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.buildkite/pipeline.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.buildkite/pipeline.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.buildkite/pipeline.yml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.buildkite/pipeline.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleW Requête brute (extrait) GET /.buildkite/pipeline.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: c Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "cbb9db1397a33f72cf3f1187f904981b18d81e8c", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "4bafbac6a6a3a3e498ce6febcc708140823e7542", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 264, "payload_entropy": 5.41992774309099, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "769b6667e91c769c29ac36a4f27dbc4c3d434c3d", "event_fingerprint": "90fe019d70c4bfb458447c5f1f13c17cde5414f8", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c816f7e85e19cb6888eb2725fc09077c", "payload_hash": "6514df8f7353ca8dca056f2c0bdcc91c", "path_pattern_hash": "483e00e02486581ed9691d00f40bae15" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleW", "method": "GET", "path": "\/.buildkite\/pipeline.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "request_sample": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleW", "evidence": { "method": "GET", "path": "\/.buildkite\/pipeline.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "request_sample": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleW", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a330847e1e7f4ffd184345a9a02e179c56bbaa68", "protocol_details": { "http_method": "GET", "http_path": "\/.buildkite\/pipeline.yml", "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleW", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.buildkite\/pipeline.yml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.buildkite\/pipeline.yml", "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.buildkite\/pipeline.yml", "evidence_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleW", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /bitbucket-pipelines.yml	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /bitbucket-pipelines.yml UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /bitbucket-pipelines.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /bitbucket-pipelines.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /bitbucket-pipelines.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /bitbucket-pipelines.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KH Requête brute (extrait) GET /bitbucket-pipelines.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "2cecc9621dea7d276855e0e899c9f487caeeefe2", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "e18939aa25137b140957dface586fa6d87f55246", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 247, "payload_entropy": 5.431775439329696, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "57a602dc0a2d60b7d2955390f951c2f125ab353a", "event_fingerprint": "02f58e7f41457c623c9b81423f61c36caad0e341", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ec5d4df262c623ce32a88a3272259c4b", "payload_hash": "dc580445b7177306ad9df00aac589e9a", "path_pattern_hash": "7196cda3d0ac0fc416539ef0a94d0999" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/bitbucket-pipelines.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/bitbucket-pipelines.yml HTTP\/1.1", "request_sample": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/bitbucket-pipelines.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/bitbucket-pipelines.yml HTTP\/1.1", "request_sample": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KH", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "99eed758e5dc597ab09c901f547a9a33dba8e686", "protocol_details": { "http_method": "GET", "http_path": "\/bitbucket-pipelines.yml", "request_line": "GET \/bitbucket-pipelines.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KH", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bitbucket-pipelines.yml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/bitbucket-pipelines.yml", "request_line": "GET \/bitbucket-pipelines.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bitbucket-pipelines.yml", "evidence_snippet": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KH", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /.circleci/config.yml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.circleci/config.yml UA Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/2008… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.circleci/config.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.circleci/config.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.circleci/config.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080716 (Gentoo) Galeon/2.0.6 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.circleci/config.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Geck Requête brute (extrait) GET /.circleci/config.yml HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080716 (Gentoo) Galeon/2.0.6 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "ee51e06bab42e31123dc56d3e7441fe31d3bdca8", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "42ed80c065555149f59c15145f7ae964b6a99b5e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 229, "payload_entropy": 5.265761803325891, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c9807529eeeed39cf15ca416688deba3ee7e5b1a", "event_fingerprint": "7586465a3b1392da8b85bbf5740a80244861e06f", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7c03a0ceb5e41705263eecefeb91e5ab", "payload_hash": "2a8d38a556783075f3364b3e90b6deeb", "path_pattern_hash": "b893b0eec412648d41158b9ec6bd21e4" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Geck", "method": "GET", "path": "\/.circleci\/config.yml", "user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/20080716 (Gentoo) Galeon\/2.0.6", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.circleci\/config.yml HTTP\/1.1", "request_sample": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/20080716 (Gentoo) Galeon\/2.0.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Geck", "evidence": { "method": "GET", "path": "\/.circleci\/config.yml", "user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/20080716 (Gentoo) Galeon\/2.0.6", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.circleci\/config.yml HTTP\/1.1", "request_sample": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/20080716 (Gentoo) Galeon\/2.0.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Geck", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d9068dbe3c943fd689b7c69718d56171368f54f0", "protocol_details": { "http_method": "GET", "http_path": "\/.circleci\/config.yml", "request_line": "GET \/.circleci\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/20080716 (Gentoo) Galeon\/2.0.6", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Geck", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.circleci\/config.yml", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.circleci\/config.yml", "request_line": "GET \/.circleci\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/20080716 (Gentoo) Galeon\/2.0.6", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.circleci\/config.yml", "evidence_snippet": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Geck", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /application.log	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /application.log UA Mozilla/5.0 (Linux; Android 5.1.1; A37f Build/LMY47V) AppleWebK… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /application.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /application.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /application.log HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 5.1.1; A37f Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.126 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /application.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; A37f Build/LMY47V) AppleWeb Requête brute (extrait) GET /application.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; A37f Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.126 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connecti Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "48aff90a9151363feb81bf29408595188f824823", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "194ffa296bf5bf546445bc77a4914a3c16983759", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 269, "payload_entropy": 5.41355700418527, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "caf8c98fca8b3e4851c163780a0e9be92eab6d07", "event_fingerprint": "a83a6001dc3c2c5f0ea580239821c147b01c7f3a", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "226697356d23b3595e00d7b9fcf683eb", "payload_hash": "ec000a919ca315ea98a958fc01ee2149", "path_pattern_hash": "162fef3d3c20397fd9e19a55bcddfa03" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f Build\/LMY47V) AppleWeb", "method": "GET", "path": "\/application.log", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; A37f Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.126 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.log HTTP\/1.1", "request_sample": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.126 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f Build\/LMY47V) AppleWeb", "evidence": { "method": "GET", "path": "\/application.log", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; A37f Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.126 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.log HTTP\/1.1", "request_sample": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.126 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f Build\/LMY47V) AppleWeb", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "78223df0af1452f9137cabc030f38c9ee743ed84", "protocol_details": { "http_method": "GET", "http_path": "\/application.log", "request_line": "GET \/application.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; A37f Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.126 Mobil\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f Build\/LMY47V) AppleWeb", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.log", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/application.log", "request_line": "GET \/application.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; A37f Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.126 Mobil\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.log", "evidence_snippet": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f Build\/LMY47V) AppleWeb", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /server.log	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /server.log UA Mozilla/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit/53… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /server.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /server.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /server.log HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit/537.36 Requête brute (extrait) GET /server.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "50fa0e84739a53ff2ca339a8b3f9d6e15da14af9", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "437770240dcc724c5033b3c158c576b84dde4de1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.3826813268975675, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "caf8c98fca8b3e4851c163780a0e9be92eab6d07", "event_fingerprint": "d6fcfc3d65f8d2eebcdd9aeefb8e17b83ce63f14", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "dba530ae9f5fa9a0b9739d7895f5e92b", "payload_hash": "e4c3fb2225566d4b8d7a37bcf444b79c", "path_pattern_hash": "1bb66c038c973622f0056a763496f9ef" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36", "method": "GET", "path": "\/server.log", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.log HTTP\/1.1", "request_sample": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/server.log", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.log HTTP\/1.1", "request_sample": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bac113e59d7283cb0e5a5288e3f09aeb11c35564", "protocol_details": { "http_method": "GET", "http_path": "\/server.log", "request_line": "GET \/server.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Saf\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.log", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server.log", "request_line": "GET \/server.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Saf\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.log", "evidence_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /log/debug.log	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /log/debug.log UA Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_log Cible HTTP GET /log/debug.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /log/debug.log Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Debug log disclosure Ligne de requête `GET /log/debug.log HTTP/1.1` User-Agent Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /log/debug.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1. Requête brute (extrait) GET /log/debug.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "log", "http_ua_hash": "fd84c72d69faf33df573dcd0340e5a121c99ab2d", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "3fb5b472f52b8bcac2f6138463cf27ff65b8c633", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 265, "payload_entropy": 5.396732265459475, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "a5fa742a604b7d2fe0926131ae57983f0ce75386", "event_fingerprint": "8a4afe42b5036f6840475d8350937ba7f96475a0", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0110" ], "matched_pattern_names": [ "LFI Debug log disclosure" ], "pattern_ids": [ "pat-0110" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f5bf208ca505ba301b62dd806f861235", "payload_hash": "e6ad5715ce5a58c2452517b2e0b410a7", "path_pattern_hash": "0a13815894d10bbcd047ea689c56dc08" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.", "method": "GET", "path": "\/log\/debug.log", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/log\/debug.log HTTP\/1.1", "request_sample": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.", "evidence": { "method": "GET", "path": "\/log\/debug.log", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/log\/debug.log HTTP\/1.1", "request_sample": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7e106132b4a327b89c2f29fb5e637f09f092f1fa", "protocol_details": { "http_method": "GET", "http_path": "\/log\/debug.log", "request_line": "GET \/log\/debug.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/log\/debug.log", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/log\/debug.log", "request_line": "GET \/log\/debug.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/log\/debug.log", "evidence_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_log", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /nginx.config	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /nginx.config UA Mozilla/4.0 (compatible; MSIE 5.0; Series80/2.0 Nokia9500/4.51 … Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /nginx.config TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /nginx.config Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /nginx.config HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 5.0; Series80/2.0 Nokia9500/4.51 Profile/MIDP-2.0 Configuration/CLDC-1.1) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /nginx.config HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Series80/2.0 Nokia9500/4.51 Pr Requête brute (extrait) GET /nginx.config HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Series80/2.0 Nokia9500/4.51 Profile/MIDP-2.0 Configuration/CLDC-1.1) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "config", "http_ua_hash": "ba8a59a16daa512ffbf0990657e962697cf1fa7d", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "e275586080f0f32618bdbe0c80334164416e3043", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 235, "payload_entropy": 5.325656565493628, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "09217d7d687ea21e5c1c0e767c2e21e696c2ccf2", "event_fingerprint": "5f58efd13682a0677410a0d4af5a127d6ed61a5f", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d43b4ceb10541234c2eba8a9d9fde57b", "payload_hash": "d7f36c12c3760bf1605bb83cb514ab79", "path_pattern_hash": "80871f7e109ea9867fd6173c2b32059b" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.0; Series80\/2.0 Nokia9500\/4.51 Pr", "method": "GET", "path": "\/nginx.config", "user_agent": "Mozilla\/4.0 (compatible; MSIE 5.0; Series80\/2.0 Nokia9500\/4.51 Profile\/MIDP-2.0 Configuration\/CLDC-1.1)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nginx.config HTTP\/1.1", "request_sample": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.0; Series80\/2.0 Nokia9500\/4.51 Profile\/MIDP-2.0 Configuration\/CLDC-1.1)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.0; Series80\/2.0 Nokia9500\/4.51 Pr", "evidence": { "method": "GET", "path": "\/nginx.config", "user_agent": "Mozilla\/4.0 (compatible; MSIE 5.0; Series80\/2.0 Nokia9500\/4.51 Profile\/MIDP-2.0 Configuration\/CLDC-1.1)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nginx.config HTTP\/1.1", "request_sample": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.0; Series80\/2.0 Nokia9500\/4.51 Profile\/MIDP-2.0 Configuration\/CLDC-1.1)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.0; Series80\/2.0 Nokia9500\/4.51 Pr", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7fc3894c3693835661ff91154db5981bb8840551", "protocol_details": { "http_method": "GET", "http_path": "\/nginx.config", "request_line": "GET \/nginx.config HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 5.0; Series80\/2.0 Nokia9500\/4.51 Profile\/MIDP-2.0 Configuration\/CLDC-1.1)", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.0; Series80\/2.0 Nokia9500\/4.51 Pr", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nginx.config", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/nginx.config", "request_line": "GET \/nginx.config HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 5.0; Series80\/2.0 Nokia9500\/4.51 Profile\/MIDP-2.0 Configuration\/CLDC-1.1)", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nginx.config", "evidence_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.0; Series80\/2.0 Nokia9500\/4.51 Pr", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /logs/application.log	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /logs/application.log UA Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) AppleWe… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_logs Cible HTTP GET /logs/application.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /logs/application.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /logs/application.log HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Safari/530.17 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /logs/application.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) A Requête brute (extrait) GET /logs/application.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Safari/530.17 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "log", "http_ua_hash": "bb7c85895b481104c504c33ed8fa6c28b7c0c940", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "cdf00c17308c69bcbf2914393a08738de75ce806", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.351739219598783, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "4c888050a61b0bef40352870c91d551e7615b7fd", "event_fingerprint": "41c1547221e485a85c31412cbbd8c62a1cac523d", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8377cf5b44343da0675020140e3d1292", "payload_hash": "a0220f9c54d6320305ddd80d1c5836a7", "path_pattern_hash": "60fc95e5699c71a682d502bba60586d5" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) A", "method": "GET", "path": "\/logs\/application.log", "user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Safari\/530.17", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/application.log HTTP\/1.1", "request_sample": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Safari\/530.17\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) A", "evidence": { "method": "GET", "path": "\/logs\/application.log", "user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Safari\/530.17", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/application.log HTTP\/1.1", "request_sample": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Safari\/530.17\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) A", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e974df9060ed96642279e384e340a7ed92335527", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/application.log", "request_line": "GET \/logs\/application.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Safari\/530.17", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) A", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/application.log", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/application.log", "request_line": "GET \/logs\/application.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Safari\/530.17", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/application.log", "evidence_snippet": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_7;en-us) A", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_logs", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /logs/app.log	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /logs/app.log UA Mozilla/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit/537.36 (… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_logs Cible HTTP GET /logs/app.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /logs/app.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /logs/app.log HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /logs/app.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit/537.36 (KH Requête brute (extrait) GET /logs/app.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "log", "http_ua_hash": "8219863d68fd2cc32606e571dc0ae78500e1752f", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "d0b8b644029ba159087a417f2e8eafdc14fc0ddb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.371593326881863, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "4c888050a61b0bef40352870c91d551e7615b7fd", "event_fingerprint": "462c48ed9274a3f6594fda3a58683b7f1093ed0a", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7f07658f8b35b3c454c617296db76095", "payload_hash": "0e734ae1612820ce244f74be8e9b2eed", "path_pattern_hash": "1ee40b92eb3b65f75911cb662d7e1127" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/logs\/app.log", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/app.log HTTP\/1.1", "request_sample": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/logs\/app.log", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/app.log HTTP\/1.1", "request_sample": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KH", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "babd8fcdc23f4b21badc002a8e97139b6394c625", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/app.log", "request_line": "GET \/logs\/app.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/53\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KH", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/app.log", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/app.log", "request_line": "GET \/logs\/app.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/53\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/app.log", "evidence_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KH", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_logs", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:9003 · (tentative d'exploit) · → /web.config	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /web.config UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /web.config TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /web.config Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI IIS web.config Ligne de requête `GET /web.config HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 YaBrowser/18.3.1.1220 Yowser/2.5 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /web.config HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, lik Requête brute (extrait) GET /web.config HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 YaBrowser/18.3.1.1220 Yowser/2.5 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Conn Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "config", "http_ua_hash": "901232c6b68c2d240bff5039fd7b8df58b7460ec", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "fb61e36fe9095535f127e3353d957f1c1310e8e9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 273, "payload_entropy": 5.434474815510635, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 60, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 53, "tag_count": 4, "anomaly_count": 0, "campaign_key": "eb5f6fcc2670c1ce54e4f0357ea0ccdc28fe7567", "event_fingerprint": "5484107df47d16c033bc63e4a1574699985b37e9", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0120" ], "matched_pattern_names": [ "LFI IIS web.config" ], "pattern_ids": [ "pat-0120" ], "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "93a5e16308954459381bac19669c1159", "payload_hash": "6f829a743840490e35c5c384a012948c", "path_pattern_hash": "0913647d7e838cdd727ceda37a671f37" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "method": "GET", "path": "\/web.config", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.186 YaBrowser\/18.3.1.1220 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web.config HTTP\/1.1", "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.186 YaBrowser\/18.3.1.1220 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "evidence": { "method": "GET", "path": "\/web.config", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.186 YaBrowser\/18.3.1.1220 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web.config HTTP\/1.1", "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.186 YaBrowser\/18.3.1.1220 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConn", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "30635861360d6d1269014c9891090356003faeb4", "protocol_details": { "http_method": "GET", "http_path": "\/web.config", "request_line": "GET \/web.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.186 YaBrowser\/18.3.1.1220 \u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "attack_vector": "config file probe \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web.config", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/web.config", "request_line": "GET \/web.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.186 YaBrowser\/18.3.1.1220 \u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web.config", "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:9003 · (tentative d'exploit) · → /.gitconfig	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.gitconfig UA msnbot/1.1 ( http://search.msn.com/msnbot.htm) Émulateur HTTP WAF 12 Recommandation Investiguer Tags 950406:ssrf-3 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /.gitconfig TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /.gitconfig Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « ssrf-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 52 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /.gitconfig HTTP/1.1` User-Agent msnbot/1.1 ( http://search.msn.com/msnbot.htm) Règles WAF ssrf-3 nosqli-3 Payload (extrait) GET /.gitconfig HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: msnbot/1.1 ( http://search.msn.com/msnbot.htm) Accept-Charset: utf Requête brute (extrait) GET /.gitconfig HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: msnbot/1.1 ( http://search.msn.com/msnbot.htm) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "gitconfig", "http_ua_hash": "b1d40dbd02ce0f4c818cd421f4b9b909055bc3aa", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "4552edeb48a162af2c0944497328c6fed5ef02ec", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 176, "payload_entropy": 5.0250852943644295, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 56, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 56, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 52, "tag_count": 4, "anomaly_count": 0, "campaign_key": "0f06eb5e6eab0e5fcc814aa54ed4ab381451994f", "event_fingerprint": "84419b5b8cbd36675478dab08b1625d5e7c7a4de", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 56, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 52, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7a32b7a100fa1dbcb5ff9eae93f4d605", "payload_hash": "77bb5d2e9ee03a6b3622a3e6080e2ed5", "path_pattern_hash": "15182e65e3e4c28fd6667d0a76628de0" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 52 }, "payload_preview": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Charset: utf", "method": "GET", "path": "\/.gitconfig", "user_agent": "msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)", "waf_tags": [ "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "ssrf-3", "nosqli-3" ], "request_line": "GET \/.gitconfig HTTP\/1.1", "request_sample": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Charset: utf", "evidence": { "method": "GET", "path": "\/.gitconfig", "user_agent": "msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)", "waf_tags": [ "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "ssrf-3", "nosqli-3" ], "request_line": "GET \/.gitconfig HTTP\/1.1", "request_sample": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Charset: utf", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b256127742b7eba9595722038c570c491e786cd4", "protocol_details": { "http_method": "GET", "http_path": "\/.gitconfig", "request_line": "GET \/.gitconfig HTTP\/1.1", "http_user_agent": "msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Charset: utf", "attack_vector": "config file probe \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitconfig", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 56, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 52, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 52, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.gitconfig", "request_line": "GET \/.gitconfig HTTP\/1.1", "http_user_agent": "msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitconfig", "evidence_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: msnbot\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Charset: utf", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 56 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950406:ssrf-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /logs/debug.log	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /logs/debug.log UA Mozilla/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build/cup… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_logs Cible HTTP GET /logs/debug.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /logs/debug.log Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Debug log disclosure Ligne de requête `GET /logs/debug.log HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build/cupcake) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /logs/debug.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build/cup Requête brute (extrait) GET /logs/debug.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build/cupcake) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Accept-Charset: utf-8 Accept-Encoding: gzip Con Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "log", "http_ua_hash": "935d1e1c30720eba7c7eae6793f23ac91e0613be", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "03e204e4d1092f0f3982669317d2eb101a33266b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 274, "payload_entropy": 5.348158148580531, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "903c0c5ef14fc8a6495d929cca0c2761380ea312", "event_fingerprint": "e7c170bf680a0d62b09b3134c3611f54287bcda9", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0110" ], "matched_pattern_names": [ "LFI Debug log disclosure" ], "pattern_ids": [ "pat-0110" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "32269b3f208dd697f5433592a7a03cb7", "payload_hash": "9e031297b754b0bc9507be722a186914", "path_pattern_hash": "2521db54cde5bdc17cc591777e55b15e" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build\/cup", "method": "GET", "path": "\/logs\/debug.log", "user_agent": "Mozilla\/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build\/cupcake) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/debug.log HTTP\/1.1", "request_sample": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build\/cupcake) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build\/cup", "evidence": { "method": "GET", "path": "\/logs\/debug.log", "user_agent": "Mozilla\/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build\/cupcake) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/debug.log HTTP\/1.1", "request_sample": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build\/cupcake) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build\/cup", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3c74d69828c6b1eb410e3b7ce84d15fa0853c10f", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/debug.log", "request_line": "GET \/logs\/debug.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build\/cupcake) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build\/cup", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/debug.log", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/debug.log", "request_line": "GET \/logs\/debug.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build\/cupcake) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/debug.log", "evidence_snippet": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build\/cup", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_logs", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /logs/error.log	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /logs/error.log UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_logs Cible HTTP GET /logs/error.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /logs/error.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Error log disclosure Ligne de requête `GET /logs/error.log HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /logs/error.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537 Requête brute (extrait) GET /logs/error.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "log", "http_ua_hash": "8e592f6d195654b25f2887f372f19885a896c5f2", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "9d5f558e73ca716aa21e27c6081370ba7dda563b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.383727769744185, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "4c888050a61b0bef40352870c91d551e7615b7fd", "event_fingerprint": "fed8f0e444005f0da46fe806475aaaabc1ee43e2", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0115" ], "matched_pattern_names": [ "LFI Error log disclosure" ], "pattern_ids": [ "pat-0115" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "04bbf91f2f08f7f3f3865b9e75774fd0", "payload_hash": "b999d7d222618b608885c564edf24f11", "path_pattern_hash": "11a7dc2316512e9b8311ac327e383bb9" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537", "method": "GET", "path": "\/logs\/error.log", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/error.log HTTP\/1.1", "request_sample": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/logs\/error.log", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/error.log HTTP\/1.1", "request_sample": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "33a0636ea6c6b2d63f4fff6095348f9993e33829", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/error.log", "request_line": "GET \/logs\/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/error.log", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/error.log", "request_line": "GET \/logs\/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/error.log", "evidence_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_logs", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 22:19:29 UTC	TCP	9003 · HTTP	http	Flood / DDoS http flood · via HTTP:9003 · (tentative d'exploit) · → /access.log	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /access.log UA Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /access.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9003 Chemin / cible /access.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /access.log HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /access.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /access.log HTTP/1.1 Host: 62.3.50.33:9003 User-Agent: Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "9f44694db042382b1894b9467bda9cec0203a128", "http_host_hash": "abc0a11b1f2d5a8269fa4aa6648b5ae33c32c9b4", "http_target_hash": "63438c908367e4f8041717ab279c4d967e15af99", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 251, "payload_entropy": 5.353534232072619, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "IN", "dst_port": 9003, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "caf8c98fca8b3e4851c163780a0e9be92eab6d07", "event_fingerprint": "cc28a13e52f2efd9d9335ade8f067b3e26f479f2", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "dfad63a0b311a8b1ad2a0387ee24907c", "payload_hash": "ca851251100dd8d6d08d4ca964defbe5", "path_pattern_hash": "3185fcf0045ab357f9b5c65f6fd9ad4d" }, "target_context": { "dst_port": 9003, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/access.log", "user_agent": "Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/access.log HTTP\/1.1", "request_sample": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/access.log", "user_agent": "Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/access.log HTTP\/1.1", "request_sample": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "edb7813e9120ce5e2dbccef50e0e78456d29bca3", "protocol_details": { "http_method": "GET", "http_path": "\/access.log", "request_line": "GET \/access.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/access.log", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/access.log", "request_line": "GET \/access.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 9003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9003 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/access.log", "evidence_snippet": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9003\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML,", "target_port_label": "9003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }

35.244.26.224

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence