{"ip":"35.244.7.152","exported_at":"2026-06-18T23:04:08+00:00","period_days":30,"metrics":{"events7d":60,"distinct_ports":1,"distinct_classifications":2,"max_severity":10,"last_sensor_id":"paris-1","max_waf_score":35,"max_risk_score":67,"attack_stage":"exploit_attempt","attack_chain_stage":"exploitation","threat_family":["path_traversal","config_leak_scan"],"recommended_action":"investigate","confidence":1,"risk_breakdown":{"waf":100,"classification":74,"behavior":0,"geo":40,"protocol":35,"novelty":25},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":"T1083","top_mitre_technique":"TA0007","top_mitre_count":30,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)","campaign_hint_fr":null,"confidence_breakdown":{"waf":100,"classification":74,"behavior":0,"geo":40,"protocol":35,"novelty":25,"risk_score":66,"correlation_boost":8},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["multi_protocol_correlation"],"correlation_flags_labels_fr":["Multi-protocole corr\u00e9l\u00e9 (5 min)"],"confidence_pct":100,"confidence_hint_fr":"Corr\u00e9lation +8","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["SIGMA-web-config-leak","Http Sensitive","Upstream","Waf Score"],"tags_summary":["SIGMA-web-config-leak","INT-http_sensitive","INT-upstream","INT-waf-score"],"attack_vector":"config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/project\/.git\/config","protocol_details":{"http_method":"GET","http_path":"\/project\/.git\/config","request_line":"GET \/project\/.git\/config HTTP\/1.1","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/53.0.2785.90 Safari\/537.36 Vivaldi\/1\u2026","port":6080,"service":"http","service_label_fr":"HTTP"},"protocol_summary_fr":"GET \/project\/.git\/config \u00b7 UA Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKi\u2026 \u00b7 HTTP:6080","evidence_snippet":"GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:6080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K","target_port_label":"6080 \u00b7 HTTP","emulator_service":"http","confidence_reason":"Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF","classification_reason":"Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%","classification_reason_label_fr":"Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF","payload_preview":"GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:6080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K"},"events":[{"id":8891939,"ip":"35.244.7.152","ts":"2026-06-14 12:30:12.000000","proto":"tcp","src_port":54706,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/assets\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022e65381e09416f9f44e15da480f747a5f92effc5c\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u0022e81ca9a0554d6690b053d3acc558b05833b1c696\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 252, \u0022payload_entropy\u0022: 5.372176202085564, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c7d5a1f9fd2bbe37391fe6a1583d4a1bca10a46c\u0022, \u0022event_fingerprint\u0022: \u0022b11406b4843a556e0c0045219ad92be8acd15bbd\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022c937486453a28bce9489cfffbedb5491\u0022, \u0022payload_hash\u0022: \u0022275ecfdb803d3a6cc6265148b6437424\u0022, \u0022path_pattern_hash\u0022: \u002270c13b709566f458c71892575aa001e0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/assets\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/assets\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e217d6cae62a9029767c1b8a475bd7dedb243c87\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/assets\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/assets\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/assets\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/assets\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_assets\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_assets\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":252},{"id":8891940,"ip":"35.244.7.152","ts":"2026-06-14 12:30:12.000000","proto":"tcp","src_port":54722,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/dist\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u002267cd2aa88754575f856c2edf38d4b5159963a959\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u0022b2ec2395164738dbd60ce81f264be6255104bfff\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 265, \u0022payload_entropy\u0022: 5.369041130598963, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f4251f141caeb227bf292cdb6547cfe658b037f1\u0022, \u0022event_fingerprint\u0022: \u00222026cd5e143fbf402a862c2d1293b828eed5d0a7\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002257322d07efe3c4afc6e4b5dae3823bbb\u0022, \u0022payload_hash\u0022: \u0022b562f1a619fc7bd1caa569abf3c0d415\u0022, \u0022path_pattern_hash\u0022: \u0022dd1606cd54dc95eed2c024184678427e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/dist\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: \u0022, \u0022payload_snippet\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/dist\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: \u0022, \u0022payload_snippet\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229d3b612ca9fb2ab9bf85d71ab4fb7953e1582b74\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/dist\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Saf\u2026\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/dist\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/dist\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Saf\u2026\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/dist\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":265},{"id":8891941,"ip":"35.244.7.152","ts":"2026-06-14 12:30:12.000000","proto":"tcp","src_port":54728,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/build\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022ee7f41aa318cea57561e2b380fa13392cd7b5d90\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u00226aeebdefc1a7f3903e2f068a42149eb080915c7b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 216, \u0022payload_entropy\u0022: 5.234152515088382, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f4251f141caeb227bf292cdb6547cfe658b037f1\u0022, \u0022event_fingerprint\u0022: \u002200867b4aa796fa4d1c90d84749ccd2ca0e787cc8\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002208af13e505a148fb7312e5f991eeee96\u0022, \u0022payload_hash\u0022: \u00226068fc65eceea5bd8dafe0782372be56\u0022, \u0022path_pattern_hash\u0022: \u0022203627ae3f02d834b42dc778d4676888\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; Linux 2.6.22) NetFront\/3.4 Kindle\/2\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/build\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/4.0 (compatible; Linux 2.6.22) NetFront\/3.4 Kindle\/2.0 (screen 600x800)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; Linux 2.6.22) NetFront\/3.4 Kindle\/2.0 (screen 600x800)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; Linux 2.6.22) NetFront\/3.4 Kindle\/2\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/build\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/4.0 (compatible; Linux 2.6.22) NetFront\/3.4 Kindle\/2.0 (screen 600x800)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; Linux 2.6.22) NetFront\/3.4 Kindle\/2.0 (screen 600x800)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; Linux 2.6.22) NetFront\/3.4 Kindle\/2\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002234a768549f9fc0764c2b706fe01643bc4bc88807\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/build\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/4.0 (compatible; Linux 2.6.22) NetFront\/3.4 Kindle\/2.0 (screen 600x800)\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; Linux 2.6.22) NetFront\/3.4 Kindle\/2\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/build\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/build\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/4.0 (compatible; Linux 2.6.22) NetFront\/3.4 Kindle\/2.0 (screen 600x800)\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/build\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; Linux 2.6.22) NetFront\/3.4 Kindle\/2\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/4.0 (compatible; Linux 2.6.22) NetFront\/3.4 Kindle\/2.0 (screen 600x800)","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":216},{"id":8891942,"ip":"35.244.7.152","ts":"2026-06-14 12:30:12.000000","proto":"tcp","src_port":54732,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/admin\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022e8c7024aa0a1fde083832602708a21268842c09c\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u00220d4fda54689ca91aa1cd9ce83cd7fe814ab26468\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 279, \u0022payload_entropy\u0022: 5.426773750452955, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 67, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221000d31f462fdcead050ddd176846da385f92635\u0022, \u0022event_fingerprint\u0022: \u0022b5978f60013161a2d5c0292f2bc5391ddb16b144\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022ET Magento admin\u0022, \u0022ES admin GET\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 67, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00224e806912151c12c6baafb6da3bab5ded\u0022, \u0022payload_hash\u0022: \u0022b48de089fea0114b724a5c4834c873f4\u0022, \u0022path_pattern_hash\u0022: \u0022b0ac58c50c927a70e841faaa3da36222\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 67}, \u0022payload_preview\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.83 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.83 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.83 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.83 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224355666f73944c4387b87f203294b5c3e7d09827\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.\u2026\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 67, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 67, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.\u2026\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.83 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":279},{"id":8891943,"ip":"35.244.7.152","ts":"2026-06-14 12:30:12.000000","proto":"tcp","src_port":54736,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":34,"waf_tags":"[\u0022950086:sqli-21\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/site\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u00222ad97a32b094802429e8cd0cdb324fc946455262\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u002299d75e39037b11054e155a03133c80282ea1c965\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 405, \u0022payload_entropy\u0022: 5.5280172509460295, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022767158b100aa891c1ce9c6a2d8442627146ee5a5\u0022, \u0022event_fingerprint\u0022: \u0022bc9453240a8b5a5644976863e009785ccf0e1821\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022626a4dd1550738d3881c5021a33dce89\u0022, \u0022payload_hash\u0022: \u002283995df9bbc16c765eaf1db8c464a28e\u0022, \u0022path_pattern_hash\u0022: \u00226901c63c2daa99b93d9d7c027371b852\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) App\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/site\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/3072 MicroMessenger\/7.0.3.1400(0x2700033C) Process\/tools NetType\/WIFI \u2026\u0022, \u0022waf_tags\u0022: [\u0022950086:sqli-21\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-21\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/3072\u0022, \u0022payload_snippet\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) App\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/site\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/3072 MicroMessenger\/7.0.3.1400(0x2700033C) Process\/tools NetType\/WIFI \u2026\u0022, \u0022waf_tags\u0022: [\u0022950086:sqli-21\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-21\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/3072\u0022, \u0022payload_snippet\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) App\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222b7a62cf039b5cb6e1f016345c73008a739c4600\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/site\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.\u2026\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) App\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/site\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/site\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.\u2026\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/site\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) App\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950086:sqli-21\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/3072 MicroMessenger\/7.0.3.1400(0x2700033C) Process\/tools NetType\/WIFI Language\/zh_CN","http_referer":null,"tags":"[\u0022950086:sqli-21\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":405},{"id":8891944,"ip":"35.244.7.152","ts":"2026-06-14 12:30:12.000000","proto":"tcp","src_port":54738,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/portal\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022b3a73502ae08945ef77d64d44f4755266af5ebb4\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u0022c6c2b01731ed2b569c9ab907e9a96206a2cfc6cc\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 290, \u0022payload_entropy\u0022: 5.380967093944032, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f4251f141caeb227bf292cdb6547cfe658b037f1\u0022, \u0022event_fingerprint\u0022: \u00225ac1936cc36b20eceeadf589c3bdc09a006dcf28\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002233a597eb6149c7d737a3d0bb37549fae\u0022, \u0022payload_hash\u0022: \u0022e82bb2990a21a7d7f63626be5edc8523\u0022, \u0022path_pattern_hash\u0022: \u0022b68e69ddda3386f78de437bb71fa9236\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/portal\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3704.400 QQBrowser\/10.4.3587.400\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3704.400 QQBrowser\/10.4.3587.400\\r\\nAccept-Charset: utf-8\\r\\nAccept-Enc\u0022, \u0022payload_snippet\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/portal\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3704.400 QQBrowser\/10.4.3587.400\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3704.400 QQBrowser\/10.4.3587.400\\r\\nAccept-Charset: utf-8\\r\\nAccept-Enc\u0022, \u0022payload_snippet\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222a20fd67f7a09f2bfe2ddd233f54f07abc5f5834\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/portal\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70\u2026\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/portal\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/portal\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70\u2026\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/portal\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3704.400 QQBrowser\/10.4.3587.400","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":290},{"id":8891945,"ip":"35.244.7.152","ts":"2026-06-14 12:30:12.000000","proto":"tcp","src_port":54746,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/dashboard\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u00221b568a95f63b97597b11c1932c36b1ddac92ae3c\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u00228e8dab3e424b71a244774110fadcc774ba40fa59\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 251, \u0022payload_entropy\u0022: 5.402401522758294, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcffe6f768665af85e24869893d965756100c645\u0022, \u0022event_fingerprint\u0022: \u0022e78f3ab28e85a49b3c50261450818c07402cc5ee\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ccb9bdbba64b7e148d936cc9af18b0d0\u0022, \u0022payload_hash\u0022: \u002279b90e10d7f3f113aff7bb7c4388233a\u0022, \u0022path_pattern_hash\u0022: \u002233b0aba70ccc7970e9e866f8e50aaddb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/dashboard\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.162 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.162 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/dashboard\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.162 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.162 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002202ccf2b45d4e2fb43d70078f7ab133bb5d579cb9\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/dashboard\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.162 Safari\/537.36\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/dashboard\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/dashboard\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.162 Safari\/537.36\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/dashboard\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_traefik\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.162 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_traefik\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":251},{"id":8891946,"ip":"35.244.7.152","ts":"2026-06-14 12:30:12.000000","proto":"tcp","src_port":54760,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":21,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/laravel\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022963772bc47a3191abae054027ab3cf3bd312afb4\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u0022ff65c052e15f784544b91aafeff8e6c3f996fc2a\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 184, \u0022payload_entropy\u0022: 5.187384867073758, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 92.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 63, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226294856435c1a620e7fd8c1331cfc334f43d9c00\u0022, \u0022event_fingerprint\u0022: \u0022b0eedb2d15149b33020b9a15aca662982c373e81\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 63, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022568f244f4952b5686c6503e1501b5e39\u0022, \u0022payload_hash\u0022: \u0022e501544168d1feac5099a4586be5ec78\u0022, \u0022path_pattern_hash\u0022: \u00223a3de1279fd8fe4dc4799f8620f7768e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 63}, \u0022payload_preview\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\\r\\nAccept-Char\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/laravel\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\\r\\nAccept-Char\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/laravel\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\\r\\nAccept-Char\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222f750b4c6264fd914f74b7f13a7e67de4a337e03\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/laravel\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\\r\\nAccept-Char\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/laravel\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 63, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 63, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/laravel\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/laravel\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)\\r\\nAccept-Char\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Opera\/9.20 (Macintosh; Intel Mac OS X; U; en)","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":184},{"id":8891947,"ip":"35.244.7.152","ts":"2026-06-14 12:30:12.000000","proto":"tcp","src_port":54764,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":21,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/shop\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u00226cdfcaa8a9e80c18dc6298ba61aa639db91435f7\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u0022802d0aecf0b84c68ef00c159917e7dd44f6dfd34\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 217, \u0022payload_entropy\u0022: 5.348584361400203, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 92.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 63, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002285180fb87759d450cba782f505b99fc19a93b9ce\u0022, \u0022event_fingerprint\u0022: \u00226c9a752a2b41e3d0e7530caee14acb9ee4f954cc\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 63, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00225e0d80a460e69b088106ff365bdf4881\u0022, \u0022payload_hash\u0022: \u002231a450b2be24e4c6fea69351fc5e5472\u0022, \u0022path_pattern_hash\u0022: \u00226603e8dbaffaf78a6758aff077d9de4a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 63}, \u0022payload_preview\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/shop\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452) Opera 6.20 [en-US]\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452) Opera 6.20 [en-US]\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/shop\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452) Opera 6.20 [en-US]\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452) Opera 6.20 [en-US]\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223ce5c05cbe5a6fb8f59d88033a8ce30f6c3c67f5\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/shop\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452) Opera 6.20 [en-US]\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/shop\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 63, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 63, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/shop\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452) Opera 6.20 [en-US]\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/shop\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_shop\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452) Opera 6.20 [en-US]","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_shop\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":217},{"id":8891948,"ip":"35.244.7.152","ts":"2026-06-14 12:30:12.000000","proto":"tcp","src_port":54770,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/wordpress\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u00222823fb091bc51afa38cb669957969972e70e4285\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u0022466d1ef9599315e8ea185d729b1bb7f4ef3f3e3e\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 295, \u0022payload_entropy\u0022: 5.421341352793121, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f4251f141caeb227bf292cdb6547cfe658b037f1\u0022, \u0022event_fingerprint\u0022: \u002274adb26b3795b538bdef28a55c6c5db6cc9d74b4\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022c071d480eca0f72986e1a9acae4c6091\u0022, \u0022payload_hash\u0022: \u0022da5323032896153a1ffe42fb8b753565\u0022, \u0022path_pattern_hash\u0022: \u0022065fde2a84971d9e936ccb4d03006f9c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wordpress\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/IML74K) AppleWebKit\/535.19 (KHTML, like Gecko) Silk\/2.1 Mobile Safari\/535.19 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/IML74K) AppleWebKit\/535.19 (KHTML, like Gecko) Silk\/2.1 Mobile Safari\/535.19 Silk-Accelerated=true\\r\\nAccept-Charset: utf-8\\r\\nAccep\u0022, \u0022payload_snippet\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wordpress\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/IML74K) AppleWebKit\/535.19 (KHTML, like Gecko) Silk\/2.1 Mobile Safari\/535.19 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/IML74K) AppleWebKit\/535.19 (KHTML, like Gecko) Silk\/2.1 Mobile Safari\/535.19 Silk-Accelerated=true\\r\\nAccept-Charset: utf-8\\r\\nAccep\u0022, \u0022payload_snippet\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c7c99ba0b29255db9ceb203e9088b057cbda2c90\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wordpress\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/IML74K) AppleWebKit\/535.19 (KHTML, like Gecko) Silk\/2.1 Mobile \u2026\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wordpress\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wordpress\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/IML74K) AppleWebKit\/535.19 (KHTML, like Gecko) Silk\/2.1 Mobile \u2026\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wordpress\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Linux; U; Android 4.0.3; en-us; KFTT Build\/IML74K) AppleWebKit\/535.19 (KHTML, like Gecko) Silk\/2.1 Mobile Safari\/535.19 Silk-Accelerated=true","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":295},{"id":8891949,"ip":"35.244.7.152","ts":"2026-06-14 12:30:12.000000","proto":"tcp","src_port":54772,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":21,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/wp-content\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u002201d7890e293e9cd9e592801f2ed9e6445531e536\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u00221cbb6121d6675be288abb212d6a93556d924de3d\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 190, \u0022payload_entropy\u0022: 5.237054134293684, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 92.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 63, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226294856435c1a620e7fd8c1331cfc334f43d9c00\u0022, \u0022event_fingerprint\u0022: \u0022c234ecebb928876faa70649e92109c084a1aa143\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 63, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022551dfe724be0545a21acf596f41ebf4f\u0022, \u0022payload_hash\u0022: \u002226ce92a7dea3ff82f95c305ba33e83ad\u0022, \u0022path_pattern_hash\u0022: \u0022653b421a6e10a22436e18cc595f6a1ee\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 63}, \u0022payload_preview\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)\\r\\nAccep\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wp-content\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)\\r\\nAccep\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wp-content\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)\\r\\nAccep\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002213d2887524159f6f389ec4919f4a1931fca9dca8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wp-content\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)\\r\\nAccep\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wp-content\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 63, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 63, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wp-content\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wp-content\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)\\r\\nAccep\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 5.15; Mac_PowerPC)","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":190},{"id":8891950,"ip":"35.244.7.152","ts":"2026-06-14 12:30:12.000000","proto":"tcp","src_port":54778,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/blog\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022a42233fa64047e2118a9f302b54341e3297d2a4a\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u00221813dede65bdf71d338345f47e16a42344128e28\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 240, \u0022payload_entropy\u0022: 5.400318380665879, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f4251f141caeb227bf292cdb6547cfe658b037f1\u0022, \u0022event_fingerprint\u0022: \u0022a89c90fdf4ed48c3bbab5dca78e6fd347f42459b\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022c19fc101f73d0a7b96a170ae2f396b67\u0022, \u0022payload_hash\u0022: \u0022aefca8ed0ce28f0c6b5931f055caa939\u0022, \u0022path_pattern_hash\u0022: \u0022daa6f35b77a4b5cee3d40cc9dc6869ad\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/blog\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/blog\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f0a673bc0cd4f741b4d7c1be4eb3c81d16214594\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/blog\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/blog\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/blog\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/blog\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":240},{"id":8891951,"ip":"35.244.7.152","ts":"2026-06-14 12:30:12.000000","proto":"tcp","src_port":54788,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/symfony\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u00220fa3fd9f130dec88ef95f184a1a7543b59d2951d\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u0022256775bfb3e8fd0855bebb6ef917cf83cff8a368\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 248, \u0022payload_entropy\u0022: 5.419727990456006, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f4251f141caeb227bf292cdb6547cfe658b037f1\u0022, \u0022event_fingerprint\u0022: \u0022795afc673097aa06453f59818ee3829fbf342da9\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002253f29473616e48292e9ea2a8e196028a\u0022, \u0022payload_hash\u0022: \u002210b8dc0d76e1eeadd012cb3488e6ad8b\u0022, \u0022path_pattern_hash\u0022: \u00228b0b254049cc28b88f641713d31106e0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/symfony\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/symfony\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f2b4f0d7541814c5ee90d8428435d59b2bee4072\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/symfony\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 Safari\/537.36\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/symfony\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/symfony\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 Safari\/537.36\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/symfony\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":248},{"id":8891952,"ip":"35.244.7.152","ts":"2026-06-14 12:30:12.000000","proto":"tcp","src_port":54796,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/code\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022b3970182b67098d11a430fd4d67f51464465054f\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u0022538da175681b2052ab512cad0fb3bd57e81adff0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 257, \u0022payload_entropy\u0022: 5.394334983751934, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f4251f141caeb227bf292cdb6547cfe658b037f1\u0022, \u0022event_fingerprint\u0022: \u0022cab757b3769236daa77e9fa3fee735a839c91f0f\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00225d16faaeaca0e0a05462f6520cd0ed8d\u0022, \u0022payload_hash\u0022: \u00220d539f393118f43c1be3f33716f87ab8\u0022, \u0022path_pattern_hash\u0022: \u0022dda1558dfc88b8ae947dda6da613b7f7\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/5\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/code\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/5\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/code\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/5\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228484a0fc4eea76d036b4aa32ec4525e6b20322ad\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/code\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.\u2026\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/5\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/code\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/code\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.\u2026\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/code\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/5\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":257},{"id":8891953,"ip":"35.244.7.152","ts":"2026-06-14 12:30:12.000000","proto":"tcp","src_port":54806,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/project\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u00224ba66b40320cb580be85e92e9784870b5bb944dc\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u002268976db99265042d7b0c3b91df3fbefc1a56cd37\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 267, \u0022payload_entropy\u0022: 5.438093895139716, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f4251f141caeb227bf292cdb6547cfe658b037f1\u0022, \u0022event_fingerprint\u0022: \u0022dcd5ad241521cee47de4d17b8881f52b3416783d\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226051ec366780d4e49120815cd69cf4a1\u0022, \u0022payload_hash\u0022: \u002232a5026fd2d81effb0c68a0ebdca836c\u0022, \u0022path_pattern_hash\u0022: \u002240d5006de80bb36cea868dfbe43c4ff0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/project\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/53.0.2785.90 Safari\/537.36 Vivaldi\/1.4.589.11\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/53.0.2785.90 Safari\/537.36 Vivaldi\/1.4.589.11\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection\u0022, \u0022payload_snippet\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/project\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/53.0.2785.90 Safari\/537.36 Vivaldi\/1.4.589.11\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/53.0.2785.90 Safari\/537.36 Vivaldi\/1.4.589.11\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection\u0022, \u0022payload_snippet\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220e41917bcd9308c53d0b334934f28cf9969bd8d6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/project\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/53.0.2785.90 Safari\/537.36 Vivaldi\/1\u2026\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/project\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/project\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/53.0.2785.90 Safari\/537.36 Vivaldi\/1\u2026\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/project\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/53.0.2785.90 Safari\/537.36 Vivaldi\/1.4.589.11","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":267},{"id":8891924,"ip":"35.244.7.152","ts":"2026-06-14 12:30:11.000000","proto":"tcp","src_port":54586,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/html\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u002216017d5dfcb437768718da98b0dfe2740b730ebb\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u0022ed148acba970ce3061829b4dd97608d1a6997773\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 219, \u0022payload_entropy\u0022: 5.268999253678825, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f4251f141caeb227bf292cdb6547cfe658b037f1\u0022, \u0022event_fingerprint\u0022: \u00224827d2d0a1e36e78f9be532baf8616cd3c25382e\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022181b07917048cf2a5d7c288c580dfb65\u0022, \u0022payload_hash\u0022: \u00224c1001d7499f8bec708568296cb1e5d6\u0022, \u0022path_pattern_hash\u0022: \u0022985e825857a4aae20b7bcc62b05870c4\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/7.\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/html\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/7.0; .NET4.0E; .NET4.0C)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/7.0; .NET4.0E; .NET4.0C)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/7.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/html\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/7.0; .NET4.0E; .NET4.0C)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/7.0; .NET4.0E; .NET4.0C)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/7.\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220e3fa1f06bfe62f86c220b345654534d9b76bf39\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/html\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/7.0; .NET4.0E; .NET4.0C)\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/7.\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/html\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/html\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/7.0; .NET4.0E; .NET4.0C)\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/html\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/7.\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/7.0; .NET4.0E; .NET4.0C)","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":219},{"id":8891925,"ip":"35.244.7.152","ts":"2026-06-14 12:30:11.000000","proto":"tcp","src_port":54596,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/www\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022f98a65e7aaa2a674609ce0e58c31530c28b5189b\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u00227b5c6d1b9506a8d5fe958dbcf1ffdcdd61f34f9e\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 222, \u0022payload_entropy\u0022: 5.259958602016829, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f4251f141caeb227bf292cdb6547cfe658b037f1\u0022, \u0022event_fingerprint\u0022: \u0022b8d49d3b0a89724a7543eea42952218bd37eeab5\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00228fac6af1320ab85eee6a8c24e6cff7d0\u0022, \u0022payload_hash\u0022: \u00222528f61e54df5f4de44d7523d8670ae6\u0022, \u0022path_pattern_hash\u0022: \u00222067f182832f5bbc5f3205656471af53\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Geck\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/www\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Geck\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/www\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Geck\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002245de1bd587d92cf60cae02b9b2ddcb9118436010\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/www\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Geck\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/www\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/www\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/www\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Geck\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_2; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":222},{"id":8891926,"ip":"35.244.7.152","ts":"2026-06-14 12:30:11.000000","proto":"tcp","src_port":54604,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/app\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022fc9781c975d92c72d7fbdb574659c43840811169\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u0022c0d576333b61f38bb5785040d2824435407a4c84\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 255, \u0022payload_entropy\u0022: 5.40742711859879, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f4251f141caeb227bf292cdb6547cfe658b037f1\u0022, \u0022event_fingerprint\u0022: \u0022fb565c4e1ef5df105173f71c70b15c191229c845\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b1203e067229de427efedba4a41e9c2d\u0022, \u0022payload_hash\u0022: \u0022a26264d65ddc7c118504da7bed0e84dd\u0022, \u0022path_pattern_hash\u0022: \u002287d63e686c8d80bd28afc993649c7598\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KH\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KH\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KH\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b90a191b06b55a562c707936c88dff356d91e755\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/app\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KH\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/app\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KH\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":255},{"id":8891927,"ip":"35.244.7.152","ts":"2026-06-14 12:30:11.000000","proto":"tcp","src_port":54616,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":33,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/frontend\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022503f0ab2ff267b53bfa5e6de54112fffcea8a215\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u002279637aca3de7d81f8030ec893ab364d04845083c\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 204, \u0022payload_entropy\u0022: 5.196584206497675, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229e8c38f20344a84d935acd8a256a8fad98b71910\u0022, \u0022event_fingerprint\u0022: \u002294dd49cb5dba552198200abab3b0e187e404326a\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022e4b041114023353df050002a76991832\u0022, \u0022payload_hash\u0022: \u0022c330bfa4972ced195d72f6870fa59dbc\u0022, \u0022path_pattern_hash\u0022: \u0022916bc8abf1fa018cce797ab5bdb418f0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.co\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/frontend\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.com\/bots)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.com\/bots)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.co\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/frontend\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.com\/bots)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.com\/bots)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.co\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d923f4f686e78e07f68b913b87ae83c1e091650a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/frontend\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.com\/bots)\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.co\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/frontend\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/frontend\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.com\/bots)\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/frontend\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.co\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (compatible; YandexBot\/3.0; +http:\/\/yandex.com\/bots)","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":204},{"id":8891928,"ip":"35.244.7.152","ts":"2026-06-14 12:30:11.000000","proto":"tcp","src_port":54628,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/web\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022ed562f4ce0ce36d4da8120f8a185ebd7d4f96b75\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u0022f32c2ab0d87a20f2415a1cf44997c48739d87917\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 201, \u0022payload_entropy\u0022: 5.26899545466924, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f4251f141caeb227bf292cdb6547cfe658b037f1\u0022, \u0022event_fingerprint\u0022: \u002227189301af7ef6dc9e9139dc223a0156d67c4b17\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022c3b8ffd6d4f92441ef5d8e508ab43875\u0022, \u0022payload_hash\u0022: \u002251d55b5770fe3bf9d6c5e7a1ac008bfd\u0022, \u0022path_pattern_hash\u0022: \u00222be87edfa036da6580e700b188114b92\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/web\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/web\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222ebe10048d8efd00f04ca7f89549f8c5fb85a840\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/web\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/web\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/web\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/web\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (X11; Linux i686; rv:46.0) Gecko\/20100101 Firefox\/46.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":201},{"id":8891929,"ip":"35.244.7.152","ts":"2026-06-14 12:30:11.000000","proto":"tcp","src_port":54636,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":35,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/v3\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022bf31940974926a5763fb97b30a0758a02832f5db\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u00224bf76a52a29633f52f17f2cac5ee4daa8e021adb\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 253, \u0022payload_entropy\u0022: 5.33531161419697, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022072e046213ed8b955eee834f3ebcb85e6f219ef8\u0022, \u0022event_fingerprint\u0022: \u0022cf7b4e799ba8e96553af054d59e0b0955a9d50e0\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002225963a19e34a2b3771b230e970d3f90e\u0022, \u0022payload_hash\u0022: \u0022a08a4ffceb449ca70de4cc9ce8313da6\u0022, \u0022path_pattern_hash\u0022: \u00224562786c79a4c5f0790c3581071f5847\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/605\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v3\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Safari\/605.1.15\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/605\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v3\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Safari\/605.1.15\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/605\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ac8120e256bee44a09e353c33829ad42dbb701a3\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/v3\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Safari\/605.1.15\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/605\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/v3\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/v3\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Safari\/605.1.15\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/v3\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/605\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Safari\/605.1.15","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":253},{"id":8891930,"ip":"35.244.7.152","ts":"2026-06-14 12:30:11.000000","proto":"tcp","src_port":54642,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/backend\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u002284c75482fdef0a4798619e9b7d389fd65ba79acd\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u00222482ac6c987d570b89dfba6cfee3dc3ac194789d\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 265, \u0022payload_entropy\u0022: 5.430726962574239, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f4251f141caeb227bf292cdb6547cfe658b037f1\u0022, \u0022event_fingerprint\u0022: \u0022fc63db559cadf9824f2e14c43c95271dc7a62e4c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00223dd2d5718cccb3969b1019b3f0860581\u0022, \u0022payload_hash\u0022: \u002239d871449dc815cbf3a19616cd63cfdf\u0022, \u0022path_pattern_hash\u0022: \u00222de751ea5a34e7a22b69004dc29faa62\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/backend\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: \u0022, \u0022payload_snippet\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/backend\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: \u0022, \u0022payload_snippet\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022761053f891596c98a090fa90a076e679bf0fa0eb\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/backend\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\u2026\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/backend\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/backend\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\u2026\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/backend\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":265},{"id":8891931,"ip":"35.244.7.152","ts":"2026-06-14 12:30:11.000000","proto":"tcp","src_port":54650,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":35,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/v2\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022e81cb2b116e29ca54679925c8da33c49517289d8\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u00223a5f2466c34928bb38a61b739c70bfc69a077a30\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 251, \u0022payload_entropy\u0022: 5.345289539687386, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022072e046213ed8b955eee834f3ebcb85e6f219ef8\u0022, \u0022event_fingerprint\u0022: \u0022412dbd932167461fa58715bcb8005f26604a5979\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f5545d5f862395075c89ff9c024d9755\u0022, \u0022payload_hash\u0022: \u0022de89c281c8eff125531d5bbd16005928\u0022, \u0022path_pattern_hash\u0022: \u0022fcafe4006602b874bcf9d18118e88566\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v2\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Safari\/605.1.15\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v2\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Safari\/605.1.15\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022af62d769a61dc9276478adf14c6162bf2dcb078d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/v2\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Safari\/605.1.15\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/v2\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/v2\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Safari\/605.1.15\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/v2\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Safari\/605.1.15","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":251},{"id":8891932,"ip":"35.244.7.152","ts":"2026-06-14 12:30:11.000000","proto":"tcp","src_port":54654,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":35,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/v1\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u00225b7b2e4e70985e0107fe5bb257375bc0686bfd58\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u0022852e68c3e2549d34d36a9b5a3605571990e68c97\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 252, \u0022payload_entropy\u0022: 5.38609341880514, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022072e046213ed8b955eee834f3ebcb85e6f219ef8\u0022, \u0022event_fingerprint\u0022: \u0022a8de5693b42e5facc24bfb8ebd1cc1eb3ad1c54f\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220661b118496333fb1ed77a64f08bf520\u0022, \u0022payload_hash\u0022: \u002255f46667582e36345fb53e8933b07432\u0022, \u0022path_pattern_hash\u0022: \u00220efea7c22b821f254abb056b9239c5c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v1\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v1\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225932fa15fa01ecd48bc6325463ae12784cdea360\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/v1\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/v1\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/v1\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/v1\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":252},{"id":8891933,"ip":"35.244.7.152","ts":"2026-06-14 12:30:11.000000","proto":"tcp","src_port":54668,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":31,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u00221142aace171bdc96dab7feede9d4ef7bf73b6f94\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u00224d60538c38eae0fe13cbc99a2ea3645cbb337669\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 223, \u0022payload_entropy\u0022: 5.3158950873123, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 67, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022de2b361dfe9379248b2ddc68a1042996572d6274\u0022, \u0022event_fingerprint\u0022: \u0022d1751d368d30503fc6d636d9e18fa389ec0f4273\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 67, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002216fa4c68e54b2d26a3caf99a15f514fb\u0022, \u0022payload_hash\u0022: \u0022916181810a1f56f7af3f331bd650dc44\u0022, \u0022path_pattern_hash\u0022: \u00223ed56f63a5d3aef03e8853abb49b3eea\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 67}, \u0022payload_preview\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4 \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4 (like Gecko) Konqueror\/4.8\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4 (like Gecko) Konqueror\/4.8\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4 (like Gecko) Konqueror\/4.8\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4 (like Gecko) Konqueror\/4.8\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222627651b24953722c314c174eaa0008e3764febb\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/api\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4 (like Gecko) Konqueror\/4.8\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 67, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 67, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/api\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4 (like Gecko) Konqueror\/4.8\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4 (like Gecko) Konqueror\/4.8","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":223},{"id":8891934,"ip":"35.244.7.152","ts":"2026-06-14 12:30:11.000000","proto":"tcp","src_port":54670,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/htdocs\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022643957f3f5a6c1b413bc2e6217365079b03aa0be\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u002291751256d60394a8b0340bb86ad1a8313b8dadfa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 253, \u0022payload_entropy\u0022: 5.2976793661116455, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f4251f141caeb227bf292cdb6547cfe658b037f1\u0022, \u0022event_fingerprint\u0022: \u0022a0b833ec8d7880df07e50857bddb6aa15cbf48b2\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002286071845cb753375463c5a14f9116f14\u0022, \u0022payload_hash\u0022: \u0022fe825c5624b702ae4501e94d373b7450\u0022, \u0022path_pattern_hash\u0022: \u00229d5b4b02a118c63f9864fb4303c2c2fa\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit\/6\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/htdocs\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Safari\/605.1.15\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit\/6\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/htdocs\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Safari\/605.1.15\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit\/6\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022068bb9b1241e44d6dd3b726d90ae1c60984c1431\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/htdocs\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Safari\/605.1.15\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit\/6\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/htdocs\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/htdocs\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Safari\/605.1.15\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/htdocs\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit\/6\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Safari\/605.1.15","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":253},{"id":8891935,"ip":"35.244.7.152","ts":"2026-06-14 12:30:11.000000","proto":"tcp","src_port":54684,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/src\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022adf6eb99bc1dfcf128fb2da9e15d083989800d4e\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u002246e050e820087702ef14a381ebad48881db62e31\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 251, \u0022payload_entropy\u0022: 5.37886760701635, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f4251f141caeb227bf292cdb6547cfe658b037f1\u0022, \u0022event_fingerprint\u0022: \u0022ad3c756f0a2ebc360b3915ef229deecb319dcabe\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00221f9596134a34f5fff3689a9df31d7d3b\u0022, \u0022payload_hash\u0022: \u00226790b4071f997ca73377a9b8d2ff4f5a\u0022, \u0022path_pattern_hash\u0022: \u002283762003e224a5603ed7ad8ff32c59fc\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/537\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/src\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/537.13+ (KHTML, like Gecko) Version\/5.1.7 Safari\/534.57.2\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/537.13+ (KHTML, like Gecko) Version\/5.1.7 Safari\/534.57.2\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/537\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/src\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/537.13+ (KHTML, like Gecko) Version\/5.1.7 Safari\/534.57.2\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/537.13+ (KHTML, like Gecko) Version\/5.1.7 Safari\/534.57.2\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/537\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c810379cc04df870f14100fba0ddf476f1b7f439\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/src\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/537.13+ (KHTML, like Gecko) Version\/5.1.7 Safari\/534.57.2\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/537\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/src\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/src\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/537.13+ (KHTML, like Gecko) Version\/5.1.7 Safari\/534.57.2\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/src\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/537\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/537.13+ (KHTML, like Gecko) Version\/5.1.7 Safari\/534.57.2","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":251},{"id":8891936,"ip":"35.244.7.152","ts":"2026-06-14 12:30:11.000000","proto":"tcp","src_port":54688,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/public\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u002246875b8f9d1f66c6d3963868074ca4a9df7b9234\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u00228257582ae447b9a2124e0414764cac0aac8808de\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.388280177631209, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f4251f141caeb227bf292cdb6547cfe658b037f1\u0022, \u0022event_fingerprint\u0022: \u002204077036f5f766758f173dab9f6d20d460087f57\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022452d5022736dc61d00442d3c02cba1b4\u0022, \u0022payload_hash\u0022: \u002218e2d0187e9b1b1cc49781823f1c1ed1\u0022, \u0022path_pattern_hash\u0022: \u002278b85c05b86f9869fecb7907511b414c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/public\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.77 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.77 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/public\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.77 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.77 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a981733c0fc790f82e2b270053d7077cc939a2fb\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/public\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.77 Safari\/537.36\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/public\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/public\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.77 Safari\/537.36\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/public\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.77 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":247},{"id":8891937,"ip":"35.244.7.152","ts":"2026-06-14 12:30:11.000000","proto":"tcp","src_port":54690,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/static\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022e4b10a5cd7bc53df1292c90d34c41c6ad5333e8e\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u0022521a53c26ae63c9f634cf4a8753a3e9a31c14380\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 255, \u0022payload_entropy\u0022: 5.405758170032907, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228483bcc490f87e68a904573bd108a03874a3b359\u0022, \u0022event_fingerprint\u0022: \u002253916c181b2be4ca7aaf334ae3ada665f82e9887\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022992c161d94e1e44d7c87f3fe3985ca9d\u0022, \u0022payload_hash\u0022: \u00220b3586a35aa8c34609d7348c9daf6d47\u0022, \u0022path_pattern_hash\u0022: \u00228991b5397bf20ed66988d72bf753894a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; GT-N8000) AppleWebKit\/53\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/static\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 4.4.2; GT-N8000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; GT-N8000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; GT-N8000) AppleWebKit\/53\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/static\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 4.4.2; GT-N8000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; GT-N8000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; GT-N8000) AppleWebKit\/53\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ef4ef2b0c678773b9f726192ed2a4f6789eaf562\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/static\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 4.4.2; GT-N8000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Safari\/537.36\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; GT-N8000) AppleWebKit\/53\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/static\/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/static\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 4.4.2; GT-N8000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Safari\/537.36\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/static\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; GT-N8000) AppleWebKit\/53\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_static\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Linux; Android 4.4.2; GT-N8000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_static\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":255},{"id":8891923,"ip":"35.244.7.152","ts":"2026-06-14 12:30:10.000000","proto":"tcp","src_port":54580,"dst_port":6080,"service":"http","classification":"config_file_probe","waf_score":35,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022569fc6ef46859c5e3874c5c9a05caaa213613428\u0022, \u0022http_host_hash\u0022: \u00227ebe258015f7d693a75a6850de5051866e607999\u0022, \u0022http_target_hash\u0022: \u0022e2f253eab0d0cf5422d24d22ae2a4954398768df\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 304, \u0022payload_entropy\u0022: 5.412329086740119, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 67, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ce41a670486aa964d23a5eef5c3998de8cb2d290\u0022, \u0022event_fingerprint\u0022: \u0022778d7a9a037c50db46d9063839d3c213ab905e2f\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 270, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022pat-0198\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022pat-0198\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0198\u0022], \u0022matched_pattern_names\u0022: [\u0022Probe \/.git\/config\u0022], \u0022pattern_ids\u0022: [\u0022pat-0198\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 67, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263d68655b0c349afdc257e51d77a4715\u0022, \u0022payload_hash\u0022: \u002255bd6aa1c8d7f9b2aa15a95f6f36b928\u0022, \u0022path_pattern_hash\u0022: \u00223ec26e4f0817b37785cd5e68fed88892\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 67}, \u0022payload_preview\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.010; Profile\/M\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.010; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.2 3gpp-gba\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.010; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.2 3gpp-gba\\r\\nAccept-Charset: utf\u0022, \u0022payload_snippet\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.010; Profile\/M\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.010; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.2 3gpp-gba\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.010; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.2 3gpp-gba\\r\\nAccept-Charset: utf\u0022, \u0022payload_snippet\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.010; Profile\/M\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022744c07a6e02f6cacffc498dc831baca36559e991\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.010; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHT\u2026\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.010; Profile\/M\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/.git\/config\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 67, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 67, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022pat-0198\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022pat-0198\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.010; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHT\u2026\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:6080\\r\\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.010; Profile\/M\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_git\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6080","http_user_agent":"Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.010; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.2 3gpp-gba","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_git\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":304},{"id":8891909,"ip":"35.244.7.152","ts":"2026-06-14 12:30:09.000000","proto":"tcp","src_port":53446,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.91557985159055, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00222fdc99c62905e5c9f8906fa1b85d1248\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd%\ufffd{\\\u0022O\ufffd\ufffdf*\ufffdo\ufffda\ufffd\ufffd\ufffdlW\ufffdUr\\u0010\ufffd\ufffd\ufffd\ufffdV\ufffd\\\\\\\u0022 \ufffdh\ufffd\ufffd\u07c9\ufffd\ufffd?`\\t`\u038e%\ufffd\\u0019?\ufffdz\\u001d\ufffd\ufffd\ufffd\udb03\udf50G\\b\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd%\ufffd{\\\u0022O\ufffd\ufffdf*\ufffdo\ufffda\ufffd\ufffd\ufffdlW\ufffdUr\\u0010\ufffd\ufffd\ufffd\ufffdV\ufffd\\\\\\\u0022 \ufffdh\ufffd\ufffd\u07c9\ufffd\ufffd?`\\t`\u038e%\ufffd\\u0019?\ufffdz\\u001d\ufffd\ufffd\ufffd\udb03\udf50G\\b\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffdG\ufffd\\u0007\ufffdWg\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdV\\u0015\ufffd\ufffd\\t!\ufffd@\ufffd\ufffd\\u0010\\u001b\ufffd4.\\u001d\ufffd\\u0014\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd%\ufffd{\\\u0022O\ufffd\ufffdf*\ufffdo\ufffda\ufffd\ufffd\ufffdlW\ufffdUr\\u0010\ufffd\ufffd\ufffd\ufffdV\ufffd\\\\\\\u0022 \ufffdh\ufffd\ufffd\u07c9\ufffd\ufffd?`\\t`\u038e%\ufffd\\u0019?\ufffdz\\u001d\ufffd\ufffd\ufffd\udb03\udf50G\\b\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002241e0c29b959e2ee489e4502b9311a02354f88169\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd%\ufffd{\\\u0022O\ufffd\ufffdf*\ufffdo\ufffda\ufffd\ufffd\ufffdlW\ufffdUr\\u0010\ufffd\ufffd\ufffd\ufffdV\ufffd\\\\\\\u0022 \ufffdh\ufffd\ufffd\u07c9\ufffd\ufffd?`\\t`\u038e%\ufffd\\u0019?\ufffdz\\u001d\ufffd\ufffd\ufffd\udb03\udf50G\\b\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd%\ufffd{\\\u0022O\ufffd\ufffdf*\ufffdo\ufffda\ufffd\ufffd\ufffdlW\ufffdUr\ufffd\ufffd\ufffd\ufffdV\ufffd\\\\\\\u0022 \ufffdh\ufffd\ufffd\u07c9\ufffd\ufffd?`\\t`\u038e%\ufffd?\ufffdz\ufffd\ufffd\ufffd\udb03\udf50G\ufffd\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd%\ufffd{\\\u0022O\ufffd\ufffdf*\ufffdo\ufffda\ufffd\ufffd\ufffdlW\ufffdUr\\u0010\ufffd\ufffd\ufffd\ufffdV\ufffd\\\\\\\u0022 \ufffdh\ufffd\ufffd\u07c9\ufffd\ufffd?`\\t`\u038e%\ufffd\\u0019?\ufffdz\\u001d\ufffd\ufffd\ufffd\udb03\udf50G\\b\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd%\ufffd{\\\u0022O\ufffd\ufffdf*\ufffdo\ufffda\ufffd\ufffd\ufffdlW\ufffdUr\ufffd\ufffd\ufffd\ufffdV\ufffd\\\\\\\u0022 \ufffdh\ufffd\ufffd\u07c9\ufffd\ufffd?`\\t`\u038e%\ufffd?\ufffdz\ufffd\ufffd\ufffd\udb03\udf50G\ufffd\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8891910,"ip":"35.244.7.152","ts":"2026-06-14 12:30:09.000000","proto":"tcp","src_port":53458,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.817603652375894, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022a3b58249e756b543953b5e199927288f\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdK\ufffd\ufffd\\u0004Z\ufffd\\nw\\u0013\ufffd1H\ufffdQ\ufffd\ufffd\u03b9X!y\ufffd\ufffd`\ufffd\\u0016\ufffd2\ufffd\ufffd\ufffd \ufffd`\\\\\ufffd\ufffdy\ufffd\ufffd\\u001br\ufffdX\\u0011\\u0000\ufffdw\ufffd\u0354\\u0011@\ufffd\ufffd\ufffdQl\ufffd*}\ufffd6\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdK\ufffd\ufffd\\u0004Z\ufffd\\nw\\u0013\ufffd1H\ufffdQ\ufffd\ufffd\u03b9X!y\ufffd\ufffd`\ufffd\\u0016\ufffd2\ufffd\ufffd\ufffd \ufffd`\\\\\ufffd\ufffdy\ufffd\ufffd\\u001br\ufffdX\\u0011\\u0000\ufffdw\ufffd\u0354\\u0011@\ufffd\ufffd\ufffdQl\ufffd*}\ufffd6\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \u010f.\ufffd\\u000f\ufffd\ufffdG\ufffd\ufffd\ufffd|\\u0016E\\u0010\ufffd\ufffd\ufffd6\u04e5\ufffdTQ\ufffd\ufffd\ufffdn\ufffd\\n\ufffd.\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdK\ufffd\ufffd\\u0004Z\ufffd\\nw\\u0013\ufffd1H\ufffdQ\ufffd\ufffd\u03b9X!y\ufffd\ufffd`\ufffd\\u0016\ufffd2\ufffd\ufffd\ufffd \ufffd`\\\\\ufffd\ufffdy\ufffd\ufffd\\u001br\ufffdX\\u0011\\u0000\ufffdw\ufffd\u0354\\u0011@\ufffd\ufffd\ufffdQl\ufffd*}\ufffd6\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022100c32aec2dd94d57380a27508a7ef7cf1b1d021\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdK\ufffd\ufffd\\u0004Z\ufffd\\nw\\u0013\ufffd1H\ufffdQ\ufffd\ufffd\u03b9X!y\ufffd\ufffd`\ufffd\\u0016\ufffd2\ufffd\ufffd\ufffd \ufffd`\\\\\ufffd\ufffdy\ufffd\ufffd\\u001br\ufffdX\\u0011\\u0000\ufffdw\ufffd\u0354\\u0011@\ufffd\ufffd\ufffdQl\ufffd*}\ufffd6\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdK\ufffd\ufffdZ\ufffd\\nw\ufffd1H\ufffdQ\ufffd\ufffd\u03b9X!y\ufffd\ufffd`\ufffd\ufffd2\ufffd\ufffd\ufffd \ufffd`\\\\\ufffd\ufffdy\ufffd\ufffdr\ufffdX\ufffdw\ufffd\u0354@\ufffd\ufffd\ufffdQl\ufffd*}\ufffd6\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdK\ufffd\ufffd\\u0004Z\ufffd\\nw\\u0013\ufffd1H\ufffdQ\ufffd\ufffd\u03b9X!y\ufffd\ufffd`\ufffd\\u0016\ufffd2\ufffd\ufffd\ufffd \ufffd`\\\\\ufffd\ufffdy\ufffd\ufffd\\u001br\ufffdX\\u0011\\u0000\ufffdw\ufffd\u0354\\u0011@\ufffd\ufffd\ufffdQl\ufffd*}\ufffd6\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdK\ufffd\ufffdZ\ufffd\\nw\ufffd1H\ufffdQ\ufffd\ufffd\u03b9X!y\ufffd\ufffd`\ufffd\ufffd2\ufffd\ufffd\ufffd \ufffd`\\\\\ufffd\ufffdy\ufffd\ufffdr\ufffdX\ufffdw\ufffd\u0354@\ufffd\ufffd\ufffdQl\ufffd*}\ufffd6\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8891911,"ip":"35.244.7.152","ts":"2026-06-14 12:30:09.000000","proto":"tcp","src_port":53468,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.898127135630437, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00227d94c8d307c5f17157bc3468e973c3ec\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003vK\ufffd\\n\ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u6642\\u0000z.\ufffd\ufffdMs\ufffd\ufffd\ufffdk\ufffd\ufffd\\u001a\ufffdMu *\ufffd[\u04aa\ufffd\\\u0022\ufffd\ufffdY\ufffd\ufffd_\u023d\ufffd[\ufffd\ufffdOj\ufffd\ufffd8=\ufffd\ufffd\\u0002\\u0015\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003vK\ufffd\\n\ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u6642\\u0000z.\ufffd\ufffdMs\ufffd\ufffd\ufffdk\ufffd\ufffd\\u001a\ufffdMu *\ufffd[\u04aa\ufffd\\\u0022\ufffd\ufffdY\ufffd\ufffd_\u023d\ufffd[\ufffd\ufffdOj\ufffd\ufffd8=\ufffd\ufffd\\u0002\\u0015\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 #w\ufffd\ufffd\ufffd\u00d4\ufffd\ufffd\\u0010\\u000f|\ufffd\ufffd\ufffd?[}A\u0128`\\u0012\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd-\ufffdC\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003vK\ufffd\\n\ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u6642\\u0000z.\ufffd\ufffdMs\ufffd\ufffd\ufffdk\ufffd\ufffd\\u001a\ufffdMu *\ufffd[\u04aa\ufffd\\\u0022\ufffd\ufffdY\ufffd\ufffd_\u023d\ufffd[\ufffd\ufffdOj\ufffd\ufffd8=\ufffd\ufffd\\u0002\\u0015\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220188670e22eb830ed24b9d0572444c49d9d3ab80\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003vK\ufffd\\n\ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u6642\\u0000z.\ufffd\ufffdMs\ufffd\ufffd\ufffdk\ufffd\ufffd\\u001a\ufffdMu *\ufffd[\u04aa\ufffd\\\u0022\ufffd\ufffdY\ufffd\ufffd_\u023d\ufffd[\ufffd\ufffdOj\ufffd\ufffd8=\ufffd\ufffd\\u0002\\u0015\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdvK\ufffd\\n\ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u6642z.\ufffd\ufffdMs\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffdMu *\ufffd[\u04aa\ufffd\\\u0022\ufffd\ufffdY\ufffd\ufffd_\u023d\ufffd[\ufffd\ufffdOj\ufffd\ufffd8=\ufffd\ufffd\ufffd\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003vK\ufffd\\n\ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u6642\\u0000z.\ufffd\ufffdMs\ufffd\ufffd\ufffdk\ufffd\ufffd\\u001a\ufffdMu *\ufffd[\u04aa\ufffd\\\u0022\ufffd\ufffdY\ufffd\ufffd_\u023d\ufffd[\ufffd\ufffdOj\ufffd\ufffd8=\ufffd\ufffd\\u0002\\u0015\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdvK\ufffd\\n\ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u6642z.\ufffd\ufffdMs\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffdMu *\ufffd[\u04aa\ufffd\\\u0022\ufffd\ufffdY\ufffd\ufffd_\u023d\ufffd[\ufffd\ufffdOj\ufffd\ufffd8=\ufffd\ufffd\ufffd\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8891912,"ip":"35.244.7.152","ts":"2026-06-14 12:30:09.000000","proto":"tcp","src_port":53476,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.828847399903516, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022691001a2ed3b8147b4fdddc61ea0285c\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u000e\ufffdb\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\ufffd\ufffd$\ufffd\u0334\ufffd\u0446\ufffda\ufffd4\u0026\ufffd\ufffdI\ufffd\/: O\ufffd\\u0011\ufffdn\\f.\ufffdE\ufffd\ufffdUX\\u000ey5\ufffd\\u0010\ufffd,U\\f\ufffd\ufffd\ufffd\ufffd~;\ufffd\ufffd,\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u000e\ufffdb\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\ufffd\ufffd$\ufffd\u0334\ufffd\u0446\ufffda\ufffd4\u0026\ufffd\ufffdI\ufffd\/: O\ufffd\\u0011\ufffdn\\f.\ufffdE\ufffd\ufffdUX\\u000ey5\ufffd\\u0010\ufffd,U\\f\ufffd\ufffd\ufffd\ufffd~;\ufffd\ufffd,\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffdF\ufffd=\u02c8\ufffd\ufffd\ufffd7\\u000e+\ufffd\ufffdC\ufffd,\\u0002\ufffdJ\ufffd\ufffd\\u0019\ufffd\ufffdj\ufffd$\ufffdQ\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u000e\ufffdb\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\ufffd\ufffd$\ufffd\u0334\ufffd\u0446\ufffda\ufffd4\u0026\ufffd\ufffdI\ufffd\/: O\ufffd\\u0011\ufffdn\\f.\ufffdE\ufffd\ufffdUX\\u000ey5\ufffd\\u0010\ufffd,U\\f\ufffd\ufffd\ufffd\ufffd~;\ufffd\ufffd,\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c17042360ef20ba8ac71908802d208450ae702ea\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u000e\ufffdb\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\ufffd\ufffd$\ufffd\u0334\ufffd\u0446\ufffda\ufffd4\u0026\ufffd\ufffdI\ufffd\/: O\ufffd\\u0011\ufffdn\\f.\ufffdE\ufffd\ufffdUX\\u000ey5\ufffd\\u0010\ufffd,U\\f\ufffd\ufffd\ufffd\ufffd~;\ufffd\ufffd,\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdb\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\ufffd\ufffd$\ufffd\u0334\ufffd\u0446\ufffda\ufffd4\u0026\ufffd\ufffdI\ufffd\/: O\ufffd\ufffdn.\ufffdE\ufffd\ufffdUXy5\ufffd\ufffd,U\ufffd\ufffd\ufffd\ufffd~;\ufffd\ufffd,\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u000e\ufffdb\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\ufffd\ufffd$\ufffd\u0334\ufffd\u0446\ufffda\ufffd4\u0026\ufffd\ufffdI\ufffd\/: O\ufffd\\u0011\ufffdn\\f.\ufffdE\ufffd\ufffdUX\\u000ey5\ufffd\\u0010\ufffd,U\\f\ufffd\ufffd\ufffd\ufffd~;\ufffd\ufffd,\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdb\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\ufffd\ufffd$\ufffd\u0334\ufffd\u0446\ufffda\ufffd4\u0026\ufffd\ufffdI\ufffd\/: O\ufffd\ufffdn.\ufffdE\ufffd\ufffdUXy5\ufffd\ufffd,U\ufffd\ufffd\ufffd\ufffd~;\ufffd\ufffd,\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8891913,"ip":"35.244.7.152","ts":"2026-06-14 12:30:09.000000","proto":"tcp","src_port":53478,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.904278011853506, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u002202e3719dcb8128c17cb88acad0df2ea4\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003e}9kg\ufffd\ufffd\u07d6\ufffd\ufffd\\u0017\ufffd~\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd\\b\ufffd-\ufffd\u034b \ufffd\ufffd\u0318\ufffd8\ufffd\\u0019E\ufffd*\\u0006\ufffd\ufffd\\u0016\ufffd\ufffdsS\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd\ufffdI4L\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003e}9kg\ufffd\ufffd\u07d6\ufffd\ufffd\\u0017\ufffd~\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd\\b\ufffd-\ufffd\u034b \ufffd\ufffd\u0318\ufffd8\ufffd\\u0019E\ufffd*\\u0006\ufffd\ufffd\\u0016\ufffd\ufffdsS\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd\ufffdI4L\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 1\ufffd\ufffdz\ufffd\ufffd\\u00031\ufffd\ufffdtz\ufffd\ufffd\ufffd;\ufffd\u003E\\u000b\ufffdn \\u001b\ufffd\ufffd9\ufffd\ufffd\ufffd\\u001fVa\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003e}9kg\ufffd\ufffd\u07d6\ufffd\ufffd\\u0017\ufffd~\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd\\b\ufffd-\ufffd\u034b \ufffd\ufffd\u0318\ufffd8\ufffd\\u0019E\ufffd*\\u0006\ufffd\ufffd\\u0016\ufffd\ufffdsS\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd\ufffdI4L\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227d24a25a0346032d25f1552ee33742d0d8001753\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003e}9kg\ufffd\ufffd\u07d6\ufffd\ufffd\\u0017\ufffd~\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd\\b\ufffd-\ufffd\u034b \ufffd\ufffd\u0318\ufffd8\ufffd\\u0019E\ufffd*\\u0006\ufffd\ufffd\\u0016\ufffd\ufffdsS\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd\ufffdI4L\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffde}9kg\ufffd\ufffd\u07d6\ufffd\ufffd\ufffd~\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd\ufffd-\ufffd\u034b \ufffd\ufffd\u0318\ufffd8\ufffdE\ufffd*\ufffd\ufffd\ufffd\ufffdsS\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd\ufffdI4L\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003e}9kg\ufffd\ufffd\u07d6\ufffd\ufffd\\u0017\ufffd~\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd\\b\ufffd-\ufffd\u034b \ufffd\ufffd\u0318\ufffd8\ufffd\\u0019E\ufffd*\\u0006\ufffd\ufffd\\u0016\ufffd\ufffdsS\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd\ufffdI4L\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffde}9kg\ufffd\ufffd\u07d6\ufffd\ufffd\ufffd~\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd\ufffd-\ufffd\u034b \ufffd\ufffd\u0318\ufffd8\ufffdE\ufffd*\ufffd\ufffd\ufffd\ufffdsS\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd\ufffdI4L\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8891914,"ip":"35.244.7.152","ts":"2026-06-14 12:30:09.000000","proto":"tcp","src_port":53490,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.847931958569891, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u002290e56a02be93a1e95565ed2bac15a2b3\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u001c\ufffdx\ufffd\\f\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd*!\ufffd\ufffd)\ufffd\\u001b`A\ufffd~\\u0001\ufffdj\ufffd\\u001e\ufffd\ufffd \ufffdg\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffd\ufffdWt\ufffd\ufffdP\u065fup\ufffd\ufffd\\\u0022M\/r(\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u001c\ufffdx\ufffd\\f\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd*!\ufffd\ufffd)\ufffd\\u001b`A\ufffd~\\u0001\ufffdj\ufffd\\u001e\ufffd\ufffd \ufffdg\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffd\ufffdWt\ufffd\ufffdP\u065fup\ufffd\ufffd\\\u0022M\/r(\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd\ufffd\ufffd\\u0002\\u0015Z\ufffd\\u0004Wu\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\nw\ufffd\\u0004\\u0003 }\u003E\ufffdxB\ufffd\\u00180+\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u001c\ufffdx\ufffd\\f\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd*!\ufffd\ufffd)\ufffd\\u001b`A\ufffd~\\u0001\ufffdj\ufffd\\u001e\ufffd\ufffd \ufffdg\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffd\ufffdWt\ufffd\ufffdP\u065fup\ufffd\ufffd\\\u0022M\/r(\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002212d6971fb51200a1435e7034ef61fecd4e9a2b23\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u001c\ufffdx\ufffd\\f\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd*!\ufffd\ufffd)\ufffd\\u001b`A\ufffd~\\u0001\ufffdj\ufffd\\u001e\ufffd\ufffd \ufffdg\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffd\ufffdWt\ufffd\ufffdP\u065fup\ufffd\ufffd\\\u0022M\/r(\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd*!\ufffd\ufffd)\ufffd`A\ufffd~\ufffdj\ufffd\ufffd\ufffd \ufffdg\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffd\ufffdWt\ufffd\ufffdP\u065fup\ufffd\ufffd\\\u0022M\/r(\ufffd\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u001c\ufffdx\ufffd\\f\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd*!\ufffd\ufffd)\ufffd\\u001b`A\ufffd~\\u0001\ufffdj\ufffd\\u001e\ufffd\ufffd \ufffdg\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffd\ufffdWt\ufffd\ufffdP\u065fup\ufffd\ufffd\\\u0022M\/r(\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd*!\ufffd\ufffd)\ufffd`A\ufffd~\ufffdj\ufffd\ufffd\ufffd \ufffdg\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffd\ufffdWt\ufffd\ufffdP\u065fup\ufffd\ufffd\\\u0022M\/r(\ufffd\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8891915,"ip":"35.244.7.152","ts":"2026-06-14 12:30:09.000000","proto":"tcp","src_port":53500,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.838666775607873, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022e80402f7763b4ce48f1bfbc28e1c46ca\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd+\\u000f\ufffd\/\\u0001\ufffd\ufffd\\u0002G\ufffd\ufffd\ufffd\ufffdy\ufffd\ufffdD0\ufffdC\ufffdj\ufffd\\u001c`\ufffd1`\ufffd \ufffdga$\ufffdW\ufffd\ufffdz*\\\\\\t\ufffd|\ufffd\ufffd\\u0010\ufffd\ufffd\ufffdz\ufffd\\b\\u0017\ufffd\\u000e\ufffd\ufffd\ufffd\\u0010l\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd+\\u000f\ufffd\/\\u0001\ufffd\ufffd\\u0002G\ufffd\ufffd\ufffd\ufffdy\ufffd\ufffdD0\ufffdC\ufffdj\ufffd\\u001c`\ufffd1`\ufffd \ufffdga$\ufffdW\ufffd\ufffdz*\\\\\\t\ufffd|\ufffd\ufffd\\u0010\ufffd\ufffd\ufffdz\ufffd\\b\\u0017\ufffd\\u000e\ufffd\ufffd\ufffd\\u0010l\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffdj\ufffd\ufffdx\ufffd\ufffd\u07fe\ufffd\\b5rs\ufffdhE\ufffd\ufffd\u003EIK=\ufffd?\ufffd\\u0013\ufffd,b\ufffd1\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd+\\u000f\ufffd\/\\u0001\ufffd\ufffd\\u0002G\ufffd\ufffd\ufffd\ufffdy\ufffd\ufffdD0\ufffdC\ufffdj\ufffd\\u001c`\ufffd1`\ufffd \ufffdga$\ufffdW\ufffd\ufffdz*\\\\\\t\ufffd|\ufffd\ufffd\\u0010\ufffd\ufffd\ufffdz\ufffd\\b\\u0017\ufffd\\u000e\ufffd\ufffd\ufffd\\u0010l\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220fbd346ea627af4b73fb6f08545465f45e21874c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd+\\u000f\ufffd\/\\u0001\ufffd\ufffd\\u0002G\ufffd\ufffd\ufffd\ufffdy\ufffd\ufffdD0\ufffdC\ufffdj\ufffd\\u001c`\ufffd1`\ufffd \ufffdga$\ufffdW\ufffd\ufffdz*\\\\\\t\ufffd|\ufffd\ufffd\\u0010\ufffd\ufffd\ufffdz\ufffd\\b\\u0017\ufffd\\u000e\ufffd\ufffd\ufffd\\u0010l\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd+\ufffd\/\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffdy\ufffd\ufffdD0\ufffdC\ufffdj\ufffd`\ufffd1`\ufffd \ufffdga$\ufffdW\ufffd\ufffdz*\\\\\\t\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffd\ufffd\ufffd\ufffdl\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd+\\u000f\ufffd\/\\u0001\ufffd\ufffd\\u0002G\ufffd\ufffd\ufffd\ufffdy\ufffd\ufffdD0\ufffdC\ufffdj\ufffd\\u001c`\ufffd1`\ufffd \ufffdga$\ufffdW\ufffd\ufffdz*\\\\\\t\ufffd|\ufffd\ufffd\\u0010\ufffd\ufffd\ufffdz\ufffd\\b\\u0017\ufffd\\u000e\ufffd\ufffd\ufffd\\u0010l\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd+\ufffd\/\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffdy\ufffd\ufffdD0\ufffdC\ufffdj\ufffd`\ufffd1`\ufffd \ufffdga$\ufffdW\ufffd\ufffdz*\\\\\\t\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffd\ufffd\ufffd\ufffdl\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8891916,"ip":"35.244.7.152","ts":"2026-06-14 12:30:09.000000","proto":"tcp","src_port":53510,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.861097697779206, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00222122d58c961c4a999d886c4c5f7d1d95\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003e\ufffdS[*P\ufffdf\ufffd*O\ufffd\ufffd9\ufffd\ufffd[\ufffd\u05a5\ufffd\ufffd\ufffd6\ufffd\\u00117\ufffd \ufffd.iHn\\u000f\ufffd\ufffd?\ufffdB\\u0007\ufffd\ufffdz\ufffd!\u05b9\\u001b\\u000e\ufffd\ufffd\\u0001\u003Ct\ufffd\\u000e\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003e\ufffdS[*P\ufffdf\ufffd*O\ufffd\ufffd9\ufffd\ufffd[\ufffd\u05a5\ufffd\ufffd\ufffd6\ufffd\\u00117\ufffd \ufffd.iHn\\u000f\ufffd\ufffd?\ufffdB\\u0007\ufffd\ufffdz\ufffd!\u05b9\\u001b\\u000e\ufffd\ufffd\\u0001\u003Ct\ufffd\\u000e\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \u0026\ufffd0sX\ufffd\\u001c\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffd\ufffd\u0026W\\u0004\ufffd!|\ufffdq`$eR\ufffd\ufffd\ufffdK\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003e\ufffdS[*P\ufffdf\ufffd*O\ufffd\ufffd9\ufffd\ufffd[\ufffd\u05a5\ufffd\ufffd\ufffd6\ufffd\\u00117\ufffd \ufffd.iHn\\u000f\ufffd\ufffd?\ufffdB\\u0007\ufffd\ufffdz\ufffd!\u05b9\\u001b\\u000e\ufffd\ufffd\\u0001\u003Ct\ufffd\\u000e\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229e0fb7514efd684e1f1b8c62a028d0f9db32e991\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003e\ufffdS[*P\ufffdf\ufffd*O\ufffd\ufffd9\ufffd\ufffd[\ufffd\u05a5\ufffd\ufffd\ufffd6\ufffd\\u00117\ufffd \ufffd.iHn\\u000f\ufffd\ufffd?\ufffdB\\u0007\ufffd\ufffdz\ufffd!\u05b9\\u001b\\u000e\ufffd\ufffd\\u0001\u003Ct\ufffd\\u000e\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffde\ufffdS[*P\ufffdf\ufffd*O\ufffd\ufffd9\ufffd\ufffd[\ufffd\u05a5\ufffd\ufffd\ufffd6\ufffd7\ufffd \ufffd.iHn\ufffd\ufffd?\ufffdB\ufffd\ufffdz\ufffd!\u05b9\ufffd\ufffd\u003Ct\ufffd\ufffd\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003e\ufffdS[*P\ufffdf\ufffd*O\ufffd\ufffd9\ufffd\ufffd[\ufffd\u05a5\ufffd\ufffd\ufffd6\ufffd\\u00117\ufffd \ufffd.iHn\\u000f\ufffd\ufffd?\ufffdB\\u0007\ufffd\ufffdz\ufffd!\u05b9\\u001b\\u000e\ufffd\ufffd\\u0001\u003Ct\ufffd\\u000e\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffde\ufffdS[*P\ufffdf\ufffd*O\ufffd\ufffd9\ufffd\ufffd[\ufffd\u05a5\ufffd\ufffd\ufffd6\ufffd7\ufffd \ufffd.iHn\ufffd\ufffd?\ufffdB\ufffd\ufffdz\ufffd!\u05b9\ufffd\ufffd\u003Ct\ufffd\ufffd\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8891917,"ip":"35.244.7.152","ts":"2026-06-14 12:30:09.000000","proto":"tcp","src_port":53514,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.882632977193364, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00224e2815f7599768851a742b30df4dfa97\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0004\ufffd\ufffd\\u0017\ufffd\\u0011\ufffdW\\u001fV\\u001d\ufffd`v\ufffd\ufffdL\ufffd\u058e\ufffd\ufffdX%~\ufffd^\ufffd\u0718\ufffd gA\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffd\ufffdW=Q\u0440\\u0005wk\\u001aVk\ufffd\ufffdy\ufffd\\u001eNt\\u0002M@y\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0004\ufffd\ufffd\\u0017\ufffd\\u0011\ufffdW\\u001fV\\u001d\ufffd`v\ufffd\ufffdL\ufffd\u058e\ufffd\ufffdX%~\ufffd^\ufffd\u0718\ufffd gA\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffd\ufffdW=Q\u0440\\u0005wk\\u001aVk\ufffd\ufffdy\ufffd\\u001eNt\\u0002M@y\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \u0454\\u0005\u02591\ufffd\\u0005\ufffd\ufffdC\\u0012\ufffd\ufffd\\\u0022*]\ufffd\ufffd\\u000f\ufffdR\ufffd\ufffd\ufffdM8]\ufffd\ufffd\\u001a\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0004\ufffd\ufffd\\u0017\ufffd\\u0011\ufffdW\\u001fV\\u001d\ufffd`v\ufffd\ufffdL\ufffd\u058e\ufffd\ufffdX%~\ufffd^\ufffd\u0718\ufffd gA\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffd\ufffdW=Q\u0440\\u0005wk\\u001aVk\ufffd\ufffdy\ufffd\\u001eNt\\u0002M@y\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002216836d7a4ccde45282da52ae5b7e55c328f22683\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0004\ufffd\ufffd\\u0017\ufffd\\u0011\ufffdW\\u001fV\\u001d\ufffd`v\ufffd\ufffdL\ufffd\u058e\ufffd\ufffdX%~\ufffd^\ufffd\u0718\ufffd gA\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffd\ufffdW=Q\u0440\\u0005wk\\u001aVk\ufffd\ufffdy\ufffd\\u001eNt\\u0002M@y\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdWV\ufffd`v\ufffd\ufffdL\ufffd\u058e\ufffd\ufffdX%~\ufffd^\ufffd\u0718\ufffd gA\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffd\ufffdW=Q\u0440wkVk\ufffd\ufffdy\ufffdNtM@y\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0004\ufffd\ufffd\\u0017\ufffd\\u0011\ufffdW\\u001fV\\u001d\ufffd`v\ufffd\ufffdL\ufffd\u058e\ufffd\ufffdX%~\ufffd^\ufffd\u0718\ufffd gA\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffd\ufffdW=Q\u0440\\u0005wk\\u001aVk\ufffd\ufffdy\ufffd\\u001eNt\\u0002M@y\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdWV\ufffd`v\ufffd\ufffdL\ufffd\u058e\ufffd\ufffdX%~\ufffd^\ufffd\u0718\ufffd gA\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffd\ufffdW=Q\u0440wkVk\ufffd\ufffdy\ufffdNtM@y\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8891919,"ip":"35.244.7.152","ts":"2026-06-14 12:30:09.000000","proto":"tcp","src_port":53520,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.874779224291325, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u002221abd328d372024bac64bec74945a874\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003L\ufffd#\u02ed\ufffd\u003C\ufffd\ufffd\ufffd\ufffd\ufffd:C}RO\\nqhoB\\b\\u001a\ufffd\ufffdv\ufffd2\\u0007\ufffd \ufffd\ufffd.\ufffd\u034e\ufffd\ufffd1\ufffd\u0212\ufffdDK\ufffdn\ufffd\ufffda\ufffd\\r\ufffd\u003C$bXo\ufffd\ufffdW\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003L\ufffd#\u02ed\ufffd\u003C\ufffd\ufffd\ufffd\ufffd\ufffd:C}RO\\nqhoB\\b\\u001a\ufffd\ufffdv\ufffd2\\u0007\ufffd \ufffd\ufffd.\ufffd\u034e\ufffd\ufffd1\ufffd\u0212\ufffdDK\ufffdn\ufffd\ufffda\ufffd\\r\ufffd\u003C$bXo\ufffd\ufffdW\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 2$(\ufffd\u003CO\ufffd\\rz7gU\ufffd\\u0019\u07ac\\u001c\/C\ufffd\ufffdwe\ufffd\ufffd\\u0005\ufffd\ufffdy\ufffd\ufffde\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003L\ufffd#\u02ed\ufffd\u003C\ufffd\ufffd\ufffd\ufffd\ufffd:C}RO\\nqhoB\\b\\u001a\ufffd\ufffdv\ufffd2\\u0007\ufffd \ufffd\ufffd.\ufffd\u034e\ufffd\ufffd1\ufffd\u0212\ufffdDK\ufffdn\ufffd\ufffda\ufffd\\r\ufffd\u003C$bXo\ufffd\ufffdW\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226b1a2f8258a22cc9c14f8e8d549d97d611933e4a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003L\ufffd#\u02ed\ufffd\u003C\ufffd\ufffd\ufffd\ufffd\ufffd:C}RO\\nqhoB\\b\\u001a\ufffd\ufffdv\ufffd2\\u0007\ufffd \ufffd\ufffd.\ufffd\u034e\ufffd\ufffd1\ufffd\u0212\ufffdDK\ufffdn\ufffd\ufffda\ufffd\\r\ufffd\u003C$bXo\ufffd\ufffdW\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdL\ufffd#\u02ed\ufffd\u003C\ufffd\ufffd\ufffd\ufffd\ufffd:C}RO\\nqhoB\ufffd\ufffdv\ufffd2\ufffd \ufffd\ufffd.\ufffd\u034e\ufffd\ufffd1\ufffd\u0212\ufffdDK\ufffdn\ufffd\ufffda\ufffd\\r\ufffd\u003C$bXo\ufffd\ufffdW\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003L\ufffd#\u02ed\ufffd\u003C\ufffd\ufffd\ufffd\ufffd\ufffd:C}RO\\nqhoB\\b\\u001a\ufffd\ufffdv\ufffd2\\u0007\ufffd \ufffd\ufffd.\ufffd\u034e\ufffd\ufffd1\ufffd\u0212\ufffdDK\ufffdn\ufffd\ufffda\ufffd\\r\ufffd\u003C$bXo\ufffd\ufffdW\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdL\ufffd#\u02ed\ufffd\u003C\ufffd\ufffd\ufffd\ufffd\ufffd:C}RO\\nqhoB\ufffd\ufffdv\ufffd2\ufffd \ufffd\ufffd.\ufffd\u034e\ufffd\ufffd1\ufffd\u0212\ufffdDK\ufffdn\ufffd\ufffda\ufffd\\r\ufffd\u003C$bXo\ufffd\ufffdW\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8891920,"ip":"35.244.7.152","ts":"2026-06-14 12:30:09.000000","proto":"tcp","src_port":53534,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.921479054662587, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u002294bae764e0ee9a0eaacad2bb3c2fc9d1\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd0\\r\u0214\ufffd\ufffd\u05c2\\t\ufffd\ufffdp\ufffd\\u0012\ufffdn\u0171Vnf\\u0015Jv\ufffd(k_\ufffdH \ufffd\\u0010\ufffd\ufffd\ufffd\\u000f\ufffd~\ufffd\u020fTj\ufffdB\ufffd\ufffd\ufffd:\ufffd\ufffd\\u0017\ufffd\u4dd5\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd0\\r\u0214\ufffd\ufffd\u05c2\\t\ufffd\ufffdp\ufffd\\u0012\ufffdn\u0171Vnf\\u0015Jv\ufffd(k_\ufffdH \ufffd\\u0010\ufffd\ufffd\ufffd\\u000f\ufffd~\ufffd\u020fTj\ufffdB\ufffd\ufffd\ufffd:\ufffd\ufffd\\u0017\ufffd\u4dd5\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 n\ufffdS\ufffd\\u001d\ufffdU\u0027\u0703\ufffdt\ufffd|\ufffdF5#b\\u0007f\ufffd\u02c7d\\\u0022^\ufffd\\u0012\ufffd\\u001f\\\\\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd0\\r\u0214\ufffd\ufffd\u05c2\\t\ufffd\ufffdp\ufffd\\u0012\ufffdn\u0171Vnf\\u0015Jv\ufffd(k_\ufffdH \ufffd\\u0010\ufffd\ufffd\ufffd\\u000f\ufffd~\ufffd\u020fTj\ufffdB\ufffd\ufffd\ufffd:\ufffd\ufffd\\u0017\ufffd\u4dd5\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022024b2d8823c8288ff974196bcb99ddcbfa0a523c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd0\\r\u0214\ufffd\ufffd\u05c2\\t\ufffd\ufffdp\ufffd\\u0012\ufffdn\u0171Vnf\\u0015Jv\ufffd(k_\ufffdH \ufffd\\u0010\ufffd\ufffd\ufffd\\u000f\ufffd~\ufffd\u020fTj\ufffdB\ufffd\ufffd\ufffd:\ufffd\ufffd\\u0017\ufffd\u4dd5\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd0\\r\u0214\ufffd\ufffd\u05c2\\t\ufffd\ufffdp\ufffd\ufffdn\u0171VnfJv\ufffd(k_\ufffdH \ufffd\ufffd\ufffd\ufffd\ufffd~\ufffd\u020fTj\ufffdB\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd\u4dd5\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd0\\r\u0214\ufffd\ufffd\u05c2\\t\ufffd\ufffdp\ufffd\\u0012\ufffdn\u0171Vnf\\u0015Jv\ufffd(k_\ufffdH \ufffd\\u0010\ufffd\ufffd\ufffd\\u000f\ufffd~\ufffd\u020fTj\ufffdB\ufffd\ufffd\ufffd:\ufffd\ufffd\\u0017\ufffd\u4dd5\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd0\\r\u0214\ufffd\ufffd\u05c2\\t\ufffd\ufffdp\ufffd\ufffdn\u0171VnfJv\ufffd(k_\ufffdH \ufffd\ufffd\ufffd\ufffd\ufffd~\ufffd\u020fTj\ufffdB\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd\u4dd5\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8891904,"ip":"35.244.7.152","ts":"2026-06-14 12:30:08.000000","proto":"tcp","src_port":53404,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.865946382319068, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022a6fdb623069737e7c9f4c8912f3a7dfc\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003{X\ufffdt\ufffd1\\u0005\\u001cT\u06a6\ufffdca\ufffd\ufffd\ufffd-\ufffd\ufffde\ufffdA\u003C\ufffd\ufffdk@_\\u0003\ufffd F\ufffd\ufffd\ufffd\\u0004\ufffdP\ufffdx4\ufffd\ufffd\u0578\\u001c\ufffd\ufffd\u003C\ufffd%:\ufffdY\ufffd\u0672\/.\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003{X\ufffdt\ufffd1\\u0005\\u001cT\u06a6\ufffdca\ufffd\ufffd\ufffd-\ufffd\ufffde\ufffdA\u003C\ufffd\ufffdk@_\\u0003\ufffd F\ufffd\ufffd\ufffd\\u0004\ufffdP\ufffdx4\ufffd\ufffd\u0578\\u001c\ufffd\ufffd\u003C\ufffd%:\ufffdY\ufffd\u0672\/.\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \u003Cc\ufffd\ufffd\u003E\ufffdT\ufffd\\u0011R;\ufffd\ufffdL\\\\|h\ufffd\ufffd\ufffd\\\\h\\u0010c\ufffd\ufffd\\u001dC\u003CAg\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003{X\ufffdt\ufffd1\\u0005\\u001cT\u06a6\ufffdca\ufffd\ufffd\ufffd-\ufffd\ufffde\ufffdA\u003C\ufffd\ufffdk@_\\u0003\ufffd F\ufffd\ufffd\ufffd\\u0004\ufffdP\ufffdx4\ufffd\ufffd\u0578\\u001c\ufffd\ufffd\u003C\ufffd%:\ufffdY\ufffd\u0672\/.\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002213d1f7590f8dcab99efac2dbaf5e31fc11680e1a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003{X\ufffdt\ufffd1\\u0005\\u001cT\u06a6\ufffdca\ufffd\ufffd\ufffd-\ufffd\ufffde\ufffdA\u003C\ufffd\ufffdk@_\\u0003\ufffd F\ufffd\ufffd\ufffd\\u0004\ufffdP\ufffdx4\ufffd\ufffd\u0578\\u001c\ufffd\ufffd\u003C\ufffd%:\ufffdY\ufffd\u0672\/.\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd{X\ufffdt\ufffd1T\u06a6\ufffdca\ufffd\ufffd\ufffd-\ufffd\ufffde\ufffdA\u003C\ufffd\ufffdk@_\ufffd F\ufffd\ufffd\ufffd\ufffdP\ufffdx4\ufffd\ufffd\u0578\ufffd\ufffd\u003C\ufffd%:\ufffdY\ufffd\u0672\/.\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003{X\ufffdt\ufffd1\\u0005\\u001cT\u06a6\ufffdca\ufffd\ufffd\ufffd-\ufffd\ufffde\ufffdA\u003C\ufffd\ufffdk@_\\u0003\ufffd F\ufffd\ufffd\ufffd\\u0004\ufffdP\ufffdx4\ufffd\ufffd\u0578\\u001c\ufffd\ufffd\u003C\ufffd%:\ufffdY\ufffd\u0672\/.\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd{X\ufffdt\ufffd1T\u06a6\ufffdca\ufffd\ufffd\ufffd-\ufffd\ufffde\ufffdA\u003C\ufffd\ufffdk@_\ufffd F\ufffd\ufffd\ufffd\ufffdP\ufffdx4\ufffd\ufffd\u0578\ufffd\ufffd\u003C\ufffd%:\ufffdY\ufffd\u0672\/.\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8891905,"ip":"35.244.7.152","ts":"2026-06-14 12:30:08.000000","proto":"tcp","src_port":53412,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.736269801000425, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00223ac17fb8fc1e641c5ec70fec6a91dfb1\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003%\ufffd\\f\\u0017\ufffdp\\u0013\ufffdN\ufffd\ufffd\ufffd =\ufffd\\u001a\\u0001\ufffd\ufffdf8\ufffd\\fgDa\\u0003\ufffd\\u001a2W| y\ufffd\ufffd\\r\ufffd\ufffd\ufffdM\ufffd\ufffd\u0457\ufffdRl!L\ufffd\ufffd8o5\ufffd\ufffd\ufffds\\u0005\ufffdbl+\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003%\ufffd\\f\\u0017\ufffdp\\u0013\ufffdN\ufffd\ufffd\ufffd =\ufffd\\u001a\\u0001\ufffd\ufffdf8\ufffd\\fgDa\\u0003\ufffd\\u001a2W| y\ufffd\ufffd\\r\ufffd\ufffd\ufffdM\ufffd\ufffd\u0457\ufffdRl!L\ufffd\ufffd8o5\ufffd\ufffd\ufffds\\u0005\ufffdbl+\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd\\u0016\ufffd\\u0004\ufffd8\u04c2\ufffdw\\u0000\u00bd\ufffd\ufffd\\b\\u0002Zt\ufffd\ufffd \ufffd.\ufffd7\ufffd\\u0011\\u000e\ufffd\ufffd5\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003%\ufffd\\f\\u0017\ufffdp\\u0013\ufffdN\ufffd\ufffd\ufffd =\ufffd\\u001a\\u0001\ufffd\ufffdf8\ufffd\\fgDa\\u0003\ufffd\\u001a2W| y\ufffd\ufffd\\r\ufffd\ufffd\ufffdM\ufffd\ufffd\u0457\ufffdRl!L\ufffd\ufffd8o5\ufffd\ufffd\ufffds\\u0005\ufffdbl+\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222f754f101711d7ed5a055c8f0f53324afbd8c869\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003%\ufffd\\f\\u0017\ufffdp\\u0013\ufffdN\ufffd\ufffd\ufffd =\ufffd\\u001a\\u0001\ufffd\ufffdf8\ufffd\\fgDa\\u0003\ufffd\\u001a2W| y\ufffd\ufffd\\r\ufffd\ufffd\ufffdM\ufffd\ufffd\u0457\ufffdRl!L\ufffd\ufffd8o5\ufffd\ufffd\ufffds\\u0005\ufffdbl+\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd%\ufffd\ufffdp\ufffdN\ufffd\ufffd\ufffd =\ufffd\ufffd\ufffdf8\ufffdgDa\ufffd2W| y\ufffd\ufffd\\r\ufffd\ufffd\ufffdM\ufffd\ufffd\u0457\ufffdRl!L\ufffd\ufffd8o5\ufffd\ufffd\ufffds\ufffdbl+\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003%\ufffd\\f\\u0017\ufffdp\\u0013\ufffdN\ufffd\ufffd\ufffd =\ufffd\\u001a\\u0001\ufffd\ufffdf8\ufffd\\fgDa\\u0003\ufffd\\u001a2W| y\ufffd\ufffd\\r\ufffd\ufffd\ufffdM\ufffd\ufffd\u0457\ufffdRl!L\ufffd\ufffd8o5\ufffd\ufffd\ufffds\\u0005\ufffdbl+\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd%\ufffd\ufffdp\ufffdN\ufffd\ufffd\ufffd =\ufffd\ufffd\ufffdf8\ufffdgDa\ufffd2W| y\ufffd\ufffd\\r\ufffd\ufffd\ufffdM\ufffd\ufffd\u0457\ufffdRl!L\ufffd\ufffd8o5\ufffd\ufffd\ufffds\ufffdbl+\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8891906,"ip":"35.244.7.152","ts":"2026-06-14 12:30:08.000000","proto":"tcp","src_port":53426,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.783549403474561, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00220100b3e8aa52d6b3fcf111227d55adfa\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd@\\u0013\ufffd\ufffd\ufffd\ufffdezZy\\u0005\ufffd.\ufffdF\ufffd\ufffd\u0027j\u0222\\u0014\\u001f\ufffd\\r\ufffd\ufffd\ufffd\ufffd \ufffd!8\ufffd\ufffdQn\ufffd\ufffd#4\ufffd= S\ufffd{rZ\ufffd\\u0002,E\ufffdob\\u001e\\u001eg\ufffdBa\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd@\\u0013\ufffd\ufffd\ufffd\ufffdezZy\\u0005\ufffd.\ufffdF\ufffd\ufffd\u0027j\u0222\\u0014\\u001f\ufffd\\r\ufffd\ufffd\ufffd\ufffd \ufffd!8\ufffd\ufffdQn\ufffd\ufffd#4\ufffd= S\ufffd{rZ\ufffd\\u0002,E\ufffdob\\u001e\\u001eg\ufffdBa\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \\u0005\ufffd\\u0005s\ufffd\ufffdE\ufffd\\u00008\ufffd\\n(\ufffd\ufffd\ufffdel~{N 8(\ufffd\ufffd\\u0016\ufffd)\ufffd\ufffd\\u001d\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd@\\u0013\ufffd\ufffd\ufffd\ufffdezZy\\u0005\ufffd.\ufffdF\ufffd\ufffd\u0027j\u0222\\u0014\\u001f\ufffd\\r\ufffd\ufffd\ufffd\ufffd \ufffd!8\ufffd\ufffdQn\ufffd\ufffd#4\ufffd= S\ufffd{rZ\ufffd\\u0002,E\ufffdob\\u001e\\u001eg\ufffdBa\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b652cfb8d78fba4413b9273a6b21ed4a27fc7f10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd@\\u0013\ufffd\ufffd\ufffd\ufffdezZy\\u0005\ufffd.\ufffdF\ufffd\ufffd\u0027j\u0222\\u0014\\u001f\ufffd\\r\ufffd\ufffd\ufffd\ufffd \ufffd!8\ufffd\ufffdQn\ufffd\ufffd#4\ufffd= S\ufffd{rZ\ufffd\\u0002,E\ufffdob\\u001e\\u001eg\ufffdBa\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffdezZy\ufffd.\ufffdF\ufffd\ufffd\u0027j\u0222\ufffd\\r\ufffd\ufffd\ufffd\ufffd \ufffd!8\ufffd\ufffdQn\ufffd\ufffd#4\ufffd= S\ufffd{rZ\ufffd,E\ufffdobg\ufffdBa\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd@\\u0013\ufffd\ufffd\ufffd\ufffdezZy\\u0005\ufffd.\ufffdF\ufffd\ufffd\u0027j\u0222\\u0014\\u001f\ufffd\\r\ufffd\ufffd\ufffd\ufffd \ufffd!8\ufffd\ufffdQn\ufffd\ufffd#4\ufffd= S\ufffd{rZ\ufffd\\u0002,E\ufffdob\\u001e\\u001eg\ufffdBa\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffdezZy\ufffd.\ufffdF\ufffd\ufffd\u0027j\u0222\ufffd\\r\ufffd\ufffd\ufffd\ufffd \ufffd!8\ufffd\ufffdQn\ufffd\ufffd#4\ufffd= S\ufffd{rZ\ufffd,E\ufffdobg\ufffdBa\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8891907,"ip":"35.244.7.152","ts":"2026-06-14 12:30:08.000000","proto":"tcp","src_port":53436,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.894674151078624, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022dc945c3e147f29c7f4828b42c395de9f\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003A\\u0007@\\u00114\u183cn\ufffdU\ufffd\u0026\\u0014\ufffdJ9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffdE\ufffd q|!\\u001a\ufffd!{R1o\ufffd*\ufffd\ufffd\ufffd\u02d0\\u001c\ufffd\ufffd\ufffdSC\ufffd\\u001c==\ufffd\ufffd\\u0005\ufffdL\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003A\\u0007@\\u00114\u183cn\ufffdU\ufffd\u0026\\u0014\ufffdJ9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffdE\ufffd q|!\\u001a\ufffd!{R1o\ufffd*\ufffd\ufffd\ufffd\u02d0\\u001c\ufffd\ufffd\ufffdSC\ufffd\\u001c==\ufffd\ufffd\\u0005\ufffdL\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd\\u000f\ufffdyU;q\\u0019G\ufffd;A3!\ufffd\u06a3\ufffd\ufffdA\ufffd9\ufffd\u0742U\ufffd\ufffd\\u0016\u05eb5\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003A\\u0007@\\u00114\u183cn\ufffdU\ufffd\u0026\\u0014\ufffdJ9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffdE\ufffd q|!\\u001a\ufffd!{R1o\ufffd*\ufffd\ufffd\ufffd\u02d0\\u001c\ufffd\ufffd\ufffdSC\ufffd\\u001c==\ufffd\ufffd\\u0005\ufffdL\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a89180830b7037c03fae232a9bd7ea506fd6e06f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003A\\u0007@\\u00114\u183cn\ufffdU\ufffd\u0026\\u0014\ufffdJ9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffdE\ufffd q|!\\u001a\ufffd!{R1o\ufffd*\ufffd\ufffd\ufffd\u02d0\\u001c\ufffd\ufffd\ufffdSC\ufffd\\u001c==\ufffd\ufffd\\u0005\ufffdL\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdA@4\u183cn\ufffdU\ufffd\u0026\ufffdJ9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffdE\ufffd q|!\ufffd!{R1o\ufffd*\ufffd\ufffd\ufffd\u02d0\ufffd\ufffd\ufffdSC\ufffd==\ufffd\ufffd\ufffdL\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003A\\u0007@\\u00114\u183cn\ufffdU\ufffd\u0026\\u0014\ufffdJ9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffdE\ufffd q|!\\u001a\ufffd!{R1o\ufffd*\ufffd\ufffd\ufffd\u02d0\\u001c\ufffd\ufffd\ufffdSC\ufffd\\u001c==\ufffd\ufffd\\u0005\ufffdL\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdA@4\u183cn\ufffdU\ufffd\u0026\ufffdJ9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffdE\ufffd q|!\ufffd!{R1o\ufffd*\ufffd\ufffd\ufffd\u02d0\ufffd\ufffd\ufffdSC\ufffd==\ufffd\ufffd\ufffdL\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8891902,"ip":"35.244.7.152","ts":"2026-06-14 12:30:08.000000","proto":"tcp","src_port":53386,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.866786508472304, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022038c154f97bd384df2e6c8d75996596a\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u0610\\u0002\ufffdW\ufffd\ufffd\u0241\ufffd\ufffd\ufffd\ufffd\\\\\ufffd\\u0004\\u001a\ufffdn\u0027\\u0015\ufffd\u061cP\ufffd\ufffd\\\\\ufffd4\\u000e\ufffd \ufffd\ufffdp\ufffd\\u0010k\\u0017\u009d\ufffdp\ufffd!\ufffd\\u0003\ufffd]=\ufffd\\fPQK\ufffd\ufffd\\u000fL\ufffdU\ufffdL\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u0610\\u0002\ufffdW\ufffd\ufffd\u0241\ufffd\ufffd\ufffd\ufffd\\\\\ufffd\\u0004\\u001a\ufffdn\u0027\\u0015\ufffd\u061cP\ufffd\ufffd\\\\\ufffd4\\u000e\ufffd \ufffd\ufffdp\ufffd\\u0010k\\u0017\u009d\ufffdp\ufffd!\ufffd\\u0003\ufffd]=\ufffd\\fPQK\ufffd\ufffd\\u000fL\ufffdU\ufffdL\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 3`\\u0019\ufffd\ufffdP\\u001e\\u0011\ufffd\ufffd\ufffdFh\ufffdyf\\u0012\\u0001\ufffd\\u000f\ufffde\ufffd\ufffd\ufffd\ufffdi\ufffd\u06a0-\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u0610\\u0002\ufffdW\ufffd\ufffd\u0241\ufffd\ufffd\ufffd\ufffd\\\\\ufffd\\u0004\\u001a\ufffdn\u0027\\u0015\ufffd\u061cP\ufffd\ufffd\\\\\ufffd4\\u000e\ufffd \ufffd\ufffdp\ufffd\\u0010k\\u0017\u009d\ufffdp\ufffd!\ufffd\\u0003\ufffd]=\ufffd\\fPQK\ufffd\ufffd\\u000fL\ufffdU\ufffdL\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dcf0572b29b5d93cc7e79eef6583b5d656ab722a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u0610\\u0002\ufffdW\ufffd\ufffd\u0241\ufffd\ufffd\ufffd\ufffd\\\\\ufffd\\u0004\\u001a\ufffdn\u0027\\u0015\ufffd\u061cP\ufffd\ufffd\\\\\ufffd4\\u000e\ufffd \ufffd\ufffdp\ufffd\\u0010k\\u0017\u009d\ufffdp\ufffd!\ufffd\\u0003\ufffd]=\ufffd\\fPQK\ufffd\ufffd\\u000fL\ufffdU\ufffdL\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u0610\ufffdW\ufffd\ufffd\u0241\ufffd\ufffd\ufffd\ufffd\\\\\ufffd\ufffdn\u0027\ufffd\u061cP\ufffd\ufffd\\\\\ufffd4\ufffd \ufffd\ufffdp\ufffdk\u009d\ufffdp\ufffd!\ufffd\ufffd]=\ufffdPQK\ufffd\ufffdL\ufffdU\ufffdL\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u0610\\u0002\ufffdW\ufffd\ufffd\u0241\ufffd\ufffd\ufffd\ufffd\\\\\ufffd\\u0004\\u001a\ufffdn\u0027\\u0015\ufffd\u061cP\ufffd\ufffd\\\\\ufffd4\\u000e\ufffd \ufffd\ufffdp\ufffd\\u0010k\\u0017\u009d\ufffdp\ufffd!\ufffd\\u0003\ufffd]=\ufffd\\fPQK\ufffd\ufffd\\u000fL\ufffdU\ufffdL\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u0610\ufffdW\ufffd\ufffd\u0241\ufffd\ufffd\ufffd\ufffd\\\\\ufffd\ufffdn\u0027\ufffd\u061cP\ufffd\ufffd\\\\\ufffd4\ufffd \ufffd\ufffdp\ufffdk\u009d\ufffdp\ufffd!\ufffd\ufffd]=\ufffdPQK\ufffd\ufffdL\ufffdU\ufffdL\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8891903,"ip":"35.244.7.152","ts":"2026-06-14 12:30:08.000000","proto":"tcp","src_port":53402,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.887541610179866, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00225ac77d6c4526b408745f6bebbc28d011\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdh\ufffd\ufffd\\u0012\ufffd\ufffd\ufffdN(C\ufffdj\ufffd2P\ufffd#Y\ufffd\ufffdT\ufffd\ufffdU\ufffd\/\ufffd\\u0018\ufffdh\ufffd \ufffdt\ufffd*!FT\ufffd`\ufffd\ufffdZ{\\u0006\ufffd\ufffd\ufffd\u07b4\\u0010\ufffd\u05bf\ufffdU\ufffd\ufffdt\\b\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdh\ufffd\ufffd\\u0012\ufffd\ufffd\ufffdN(C\ufffdj\ufffd2P\ufffd#Y\ufffd\ufffdT\ufffd\ufffdU\ufffd\/\ufffd\\u0018\ufffdh\ufffd \ufffdt\ufffd*!FT\ufffd`\ufffd\ufffdZ{\\u0006\ufffd\ufffd\ufffd\u07b4\\u0010\ufffd\u05bf\ufffdU\ufffd\ufffdt\\b\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 V\ufffd\ufffd}\u0738\ufffd\ufffd\ufffdp1o\ufffd%d\\u001a\ufffd\ufffd3\ufffd\u0027\\u0003\u01c0\ufffd\ufffd\\rY\ufffd\/\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdh\ufffd\ufffd\\u0012\ufffd\ufffd\ufffdN(C\ufffdj\ufffd2P\ufffd#Y\ufffd\ufffdT\ufffd\ufffdU\ufffd\/\ufffd\\u0018\ufffdh\ufffd \ufffdt\ufffd*!FT\ufffd`\ufffd\ufffdZ{\\u0006\ufffd\ufffd\ufffd\u07b4\\u0010\ufffd\u05bf\ufffdU\ufffd\ufffdt\\b\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222ff1f0360fe859753b69e8bc45f617489942d161\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdh\ufffd\ufffd\\u0012\ufffd\ufffd\ufffdN(C\ufffdj\ufffd2P\ufffd#Y\ufffd\ufffdT\ufffd\ufffdU\ufffd\/\ufffd\\u0018\ufffdh\ufffd \ufffdt\ufffd*!FT\ufffd`\ufffd\ufffdZ{\\u0006\ufffd\ufffd\ufffd\u07b4\\u0010\ufffd\u05bf\ufffdU\ufffd\ufffdt\\b\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd\ufffdN(C\ufffdj\ufffd2P\ufffd#Y\ufffd\ufffdT\ufffd\ufffdU\ufffd\/\ufffd\ufffdh\ufffd \ufffdt\ufffd*!FT\ufffd`\ufffd\ufffdZ{\ufffd\ufffd\ufffd\u07b4\ufffd\u05bf\ufffdU\ufffd\ufffdt\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdh\ufffd\ufffd\\u0012\ufffd\ufffd\ufffdN(C\ufffdj\ufffd2P\ufffd#Y\ufffd\ufffdT\ufffd\ufffdU\ufffd\/\ufffd\\u0018\ufffdh\ufffd \ufffdt\ufffd*!FT\ufffd`\ufffd\ufffdZ{\\u0006\ufffd\ufffd\ufffd\u07b4\\u0010\ufffd\u05bf\ufffdU\ufffd\ufffdt\\b\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffd\ufffdN(C\ufffdj\ufffd2P\ufffd#Y\ufffd\ufffdT\ufffd\ufffdU\ufffd\/\ufffd\ufffdh\ufffd \ufffdt\ufffd*!FT\ufffd`\ufffd\ufffdZ{\ufffd\ufffd\ufffd\u07b4\ufffd\u05bf\ufffdU\ufffd\ufffdt\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8891889,"ip":"35.244.7.152","ts":"2026-06-14 12:30:07.000000","proto":"tcp","src_port":53278,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.879638050478487, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00225c718c01b44af83717f3265006215e8e\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd-[\ufffd\ufffd\ufffdD(\ufffd$\ufffd\ufffd9\ufffdP\ufffd\ufffd.\\t%ky\ufffd\ufffd\ufffd\ufffd6\\u001e\ufffd L\/\ufffd\ufffd\ufffd$\ufffd\ufffd\\u001a\ufffdz2\ufffd\\t\ufffd\ufffd\ufffdwg3\ufffdY\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdI\\u001f\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd-[\ufffd\ufffd\ufffdD(\ufffd$\ufffd\ufffd9\ufffdP\ufffd\ufffd.\\t%ky\ufffd\ufffd\ufffd\ufffd6\\u001e\ufffd L\/\ufffd\ufffd\ufffd$\ufffd\ufffd\\u001a\ufffdz2\ufffd\\t\ufffd\ufffd\ufffdwg3\ufffdY\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdI\\u001f\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0015Hd\\u0006*J\ufffdJokn\ufffd\ufffdj\ufffd~0=\ufffd\\t\ufffdK](t_\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd-[\ufffd\ufffd\ufffdD(\ufffd$\ufffd\ufffd9\ufffdP\ufffd\ufffd.\\t%ky\ufffd\ufffd\ufffd\ufffd6\\u001e\ufffd L\/\ufffd\ufffd\ufffd$\ufffd\ufffd\\u001a\ufffdz2\ufffd\\t\ufffd\ufffd\ufffdwg3\ufffdY\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdI\\u001f\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a6c6e3f52ce2d9cce969f32ecca1204ff4d053c5\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd-[\ufffd\ufffd\ufffdD(\ufffd$\ufffd\ufffd9\ufffdP\ufffd\ufffd.\\t%ky\ufffd\ufffd\ufffd\ufffd6\\u001e\ufffd L\/\ufffd\ufffd\ufffd$\ufffd\ufffd\\u001a\ufffdz2\ufffd\\t\ufffd\ufffd\ufffdwg3\ufffdY\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdI\\u001f\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd-[\ufffd\ufffd\ufffdD(\ufffd$\ufffd\ufffd9\ufffdP\ufffd\ufffd.\\t%ky\ufffd\ufffd\ufffd\ufffd6\ufffd L\/\ufffd\ufffd\ufffd$\ufffd\ufffd\ufffdz2\ufffd\\t\ufffd\ufffd\ufffdwg3\ufffdY\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdI\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd-[\ufffd\ufffd\ufffdD(\ufffd$\ufffd\ufffd9\ufffdP\ufffd\ufffd.\\t%ky\ufffd\ufffd\ufffd\ufffd6\\u001e\ufffd L\/\ufffd\ufffd\ufffd$\ufffd\ufffd\\u001a\ufffdz2\ufffd\\t\ufffd\ufffd\ufffdwg3\ufffdY\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdI\\u001f\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd-[\ufffd\ufffd\ufffdD(\ufffd$\ufffd\ufffd9\ufffdP\ufffd\ufffd.\\t%ky\ufffd\ufffd\ufffd\ufffd6\ufffd L\/\ufffd\ufffd\ufffd$\ufffd\ufffd\ufffdz2\ufffd\\t\ufffd\ufffd\ufffdwg3\ufffdY\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdI\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8891890,"ip":"35.244.7.152","ts":"2026-06-14 12:30:07.000000","proto":"tcp","src_port":53288,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.863771843992447, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00227478f2dbd947d93c88c94d1baed24c0f\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003A\ufffd\ufffd\ufffd\ufffdq\\u0007v\ufffd\ufffd\ufffd\ufffdF\\u001e\ufffd\ufffd;\ufffdjw\ufffd\\u0011u$\ufffdS]\ufffd6\ufffd! 1\ufffd\ufffdj\ufffd\\u001b_\ufffd\ufffd3\\nX\ufffd\ufffdx\ufffd\ufffd\\u0002U[V\ufffd\ufffd\ufffd\ufffd`\ufffds\ufffd\u04f4\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003A\ufffd\ufffd\ufffd\ufffdq\\u0007v\ufffd\ufffd\ufffd\ufffdF\\u001e\ufffd\ufffd;\ufffdjw\ufffd\\u0011u$\ufffdS]\ufffd6\ufffd! 1\ufffd\ufffdj\ufffd\\u001b_\ufffd\ufffd3\\nX\ufffd\ufffdx\ufffd\ufffd\\u0002U[V\ufffd\ufffd\ufffd\ufffd`\ufffds\ufffd\u04f4\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd%W\\u001aK\\r\ufffd7\ufffdn\ufffd\ufffdN\ufffd\u05fd5__\ufffd\\u0000\ufffdR,\u0026\u042b\\u0003;\ufffd\\u0017B\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003A\ufffd\ufffd\ufffd\ufffdq\\u0007v\ufffd\ufffd\ufffd\ufffdF\\u001e\ufffd\ufffd;\ufffdjw\ufffd\\u0011u$\ufffdS]\ufffd6\ufffd! 1\ufffd\ufffdj\ufffd\\u001b_\ufffd\ufffd3\\nX\ufffd\ufffdx\ufffd\ufffd\\u0002U[V\ufffd\ufffd\ufffd\ufffd`\ufffds\ufffd\u04f4\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c73c8e5e8adccade7fb6d23f8f35bfaa30e33fc4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003A\ufffd\ufffd\ufffd\ufffdq\\u0007v\ufffd\ufffd\ufffd\ufffdF\\u001e\ufffd\ufffd;\ufffdjw\ufffd\\u0011u$\ufffdS]\ufffd6\ufffd! 1\ufffd\ufffdj\ufffd\\u001b_\ufffd\ufffd3\\nX\ufffd\ufffdx\ufffd\ufffd\\u0002U[V\ufffd\ufffd\ufffd\ufffd`\ufffds\ufffd\u04f4\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffdqv\ufffd\ufffd\ufffd\ufffdF\ufffd\ufffd;\ufffdjw\ufffdu$\ufffdS]\ufffd6\ufffd! 1\ufffd\ufffdj\ufffd_\ufffd\ufffd3\\nX\ufffd\ufffdx\ufffd\ufffdU[V\ufffd\ufffd\ufffd\ufffd`\ufffds\ufffd\u04f4\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003A\ufffd\ufffd\ufffd\ufffdq\\u0007v\ufffd\ufffd\ufffd\ufffdF\\u001e\ufffd\ufffd;\ufffdjw\ufffd\\u0011u$\ufffdS]\ufffd6\ufffd! 1\ufffd\ufffdj\ufffd\\u001b_\ufffd\ufffd3\\nX\ufffd\ufffdx\ufffd\ufffd\\u0002U[V\ufffd\ufffd\ufffd\ufffd`\ufffds\ufffd\u04f4\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffdqv\ufffd\ufffd\ufffd\ufffdF\ufffd\ufffd;\ufffdjw\ufffdu$\ufffdS]\ufffd6\ufffd! 1\ufffd\ufffdj\ufffd_\ufffd\ufffd3\\nX\ufffd\ufffdx\ufffd\ufffdU[V\ufffd\ufffd\ufffd\ufffd`\ufffds\ufffd\u04f4\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8891891,"ip":"35.244.7.152","ts":"2026-06-14 12:30:07.000000","proto":"tcp","src_port":53296,"dst_port":6080,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.790056839038245, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 6080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f3d89e05e57730e658fbcc13c9fa0f07ce7f4760\u0022, \u0022event_fingerprint\u0022: \u0022c1b264a3ed00025ccadefbe8c7506310f4cc8af5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00221a114eb7ec69b6207880d756eeba9ac5\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003p\ufffdn\ufffd\\u0004\\\u0022\ufffd\\u000fj\\u0011\ufffdn\\rF\ufffd\\u0012\ufffd%\\u0005f\\r\ufffd}\ufffd\ufffd\ufffd\ufffd\ufffdH*% \ufffdXb{3\ufffd\u003CE\ufffdt\ufffdd\ufffd\\u0012\ufffd\ufffd\ufffdwY\/ \ufffd\ufffd\ufffd\\u0010\ufffd\\u0017W\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003p\ufffdn\ufffd\\u0004\\\u0022\ufffd\\u000fj\\u0011\ufffdn\\rF\ufffd\\u0012\ufffd%\\u0005f\\r\ufffd}\ufffd\ufffd\ufffd\ufffd\ufffdH*% \ufffdXb{3\ufffd\u003CE\ufffdt\ufffdd\ufffd\\u0012\ufffd\ufffd\ufffdwY\/ \ufffd\ufffd\ufffd\\u0010\ufffd\\u0017W\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 b\u04df2:asN\ufffdm%\ufffd\\u001am\\u0005\u0026SE\ufffd\ufffd\u05cd:]\ufffdJ{b\/k\\f\\r\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003p\ufffdn\ufffd\\u0004\\\u0022\ufffd\\u000fj\\u0011\ufffdn\\rF\ufffd\\u0012\ufffd%\\u0005f\\r\ufffd}\ufffd\ufffd\ufffd\ufffd\ufffdH*% \ufffdXb{3\ufffd\u003CE\ufffdt\ufffdd\ufffd\\u0012\ufffd\ufffd\ufffdwY\/ \ufffd\ufffd\ufffd\\u0010\ufffd\\u0017W\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fe3459d2d705810b0799a34a7e5cd374a936dfea\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003p\ufffdn\ufffd\\u0004\\\u0022\ufffd\\u000fj\\u0011\ufffdn\\rF\ufffd\\u0012\ufffd%\\u0005f\\r\ufffd}\ufffd\ufffd\ufffd\ufffd\ufffdH*% \ufffdXb{3\ufffd\u003CE\ufffdt\ufffdd\ufffd\\u0012\ufffd\ufffd\ufffdwY\/ \ufffd\ufffd\ufffd\\u0010\ufffd\\u0017W\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdp\ufffdn\ufffd\\\u0022\ufffdj\ufffdn\\rF\ufffd\ufffd%f\\r\ufffd}\ufffd\ufffd\ufffd\ufffd\ufffdH*% \ufffdXb{3\ufffd\u003CE\ufffdt\ufffdd\ufffd\ufffd\ufffd\ufffdwY\/ \ufffd\ufffd\ufffd\ufffdW\ufffd\ufffd\ufffd\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6080, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003p\ufffdn\ufffd\\u0004\\\u0022\ufffd\\u000fj\\u0011\ufffdn\\rF\ufffd\\u0012\ufffd%\\u0005f\\r\ufffd}\ufffd\ufffd\ufffd\ufffd\ufffdH*% \ufffdXb{3\ufffd\u003CE\ufffdt\ufffdd\ufffd\\u0012\ufffd\ufffd\ufffdwY\/ \ufffd\ufffd\ufffd\\u0010\ufffd\\u0017W\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 6080, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:6080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdp\ufffdn\ufffd\\\u0022\ufffdj\ufffdn\\rF\ufffd\ufffd%f\\r\ufffd}\ufffd\ufffd\ufffd\ufffd\ufffdH*% \ufffdXb{3\ufffd\u003CE\ufffdt\ufffdd\ufffd\ufffd\ufffd\ufffdwY\/ \ufffd\ufffd\ufffd\ufffdW\ufffd\ufffd\ufffd\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00226080 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239}],"total_events":60}