Renseignement sur les menaces

R.A.S. chinoise de Hong Kong

38.76.165.207

FAI cognetcloud INC Première vue 18/06/2026 08:57 UTC Dernière vue 18/06/2026 08:57 UTC Risque Moyen

Période analysée : 2026-05-20 → 2026-06-19

Activité suspecte — risque 50/100 (Moyen) — MITRE TA0001 — confiance 59 % — via HTTP

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Moyen · Risque max (7j) Moyen

Synthèse exécutive

Profil de menace

Score de risque 56/100 Moyen

Première observation 18/06/2026 08:57 UTC

Dernière observation 18/06/2026 08:57 UTC

Événements (période) 4

MITRE ATT&CK principal TA0001 4 occurrences

Activité suspecte — risque 50/100 (Moyen) — MITRE TA0001 — confiance 59 % — via HTTP

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « xss_attack » (signaux protocolaires) · confiance 59%

Confiance 59 % — Score WAF 84 · 3 tag(s) WAF

Comparaison ASN / FAI

ASN 401701 · 38.76.160.0/21 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 4 événements sur la période pour cette IP.

38.76.163.104 Sonde SSH 19/06/2026 14:37 UTC
156.225.29.180 Sonde port 23/TCP 19/06/2026 07:19 UTC
38.76.185.195 Sonde RDP 19/06/2026 00:56 UTC
103.233.254.163 Sonde port 23/TCP 17/06/2026 03:57 UTC
38.76.206.48 port attack 17/06/2026 01:51 UTC
154.219.103.62 Sonde port 23/TCP 16/06/2026 15:02 UTC
149.88.82.86 Sonde RDP 08/06/2026 08:24 UTC
103.106.188.32 Sonde SSH 08/06/2026 02:27 UTC

Événements (filtres)

Première observation

18/06/2026 08:57 UTC

Dernière observation

18/06/2026 08:57 UTC

Dernière activité (filtres)

18/06/2026 08:57 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Géolocalisation

Origine réseau déclarée

R.A.S. chinoise de Hong Kong unknown unknown

FAI / réseau

Opérateur et dernière activité ban

cognetcloud INC 0 Port 8080 xss_attack

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

xss attack · via HTTP:8080 · (tentative d'exploit) · → /web-console/ServerInfo.jsp

Détails protocole

Méthode: HEAD
Chemin: /web-console/ServerInfo.jsp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0

Aperçu payload

HEAD /web-console/ServerInfo.jsp HTTP/1.1 Host: 62.3.50.33:8080 Accept-Encoding: identity Connection: keep-alive Accept: tex

Port / service

8080 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF

Technique MITRE

TA0001

Persona capteur

mail.sensor-1.internal

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0284

Confiance

59%

Famille de menace

unknown

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

4 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

4 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
18/06/2026 08:57:20 UTC	TCP	8080 · HTTP	http	Cross-site scripting xss attack · via HTTP:8080 · (tentative d'exploit) · → /web-console/ServerInfo.jsp	Élevée	Moyen · 50
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole HEAD /web-console/ServerInfo.jsp UA Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Fir… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP HEAD /web-console/ServerInfo.jsp TLS SNI — Capteur paris-1
Preuve / Evidence Méthode HEAD Port 8080 Chemin / cible /web-console/ServerInfo.jsp Service HTTP Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 50 Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0284 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 Ligne de requête `HEAD /web-console/ServerInfo.jsp HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 Règles WAF rce-0 nosqli-3 Payload (extrait) HEAD /web-console/ServerInfo.jsp HTTP/1.1 Host: 62.3.50.33:8080 Accept-Encoding: identity Connection: keep-alive Accept: tex Requête brute (extrait) HEAD /web-console/ServerInfo.jsp HTTP/1.1 Host: 62.3.50.33:8080 Accept-Encoding: identity Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/201 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "jsp", "http_ua_hash": "7e59df8b3d2e55069406031c25610a99ac9401fa", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "b2240d831797358834af693e9253b0ddd3dfd9de", "http_referer_hash": null, "http_method": "HEAD", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 278, "payload_entropy": 5.452658581570056, "port_category": "registered", "org": "cognetcloud INC", "service": "http", "app_proto": "http", "asn": 401701, "country": "HK", "dst_port": 8080, "risk_waf": 84, "risk_classification": 68, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 50, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f24aa19b861b9f57d88ee4561751cd3e6d0a2752", "event_fingerprint": "ff38e8e840bf26d37e3458de7099eb13b76eeda2", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "pat-0284" ], "kb_rule_ids": [ "pat-0284" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 401701, "org": "cognetcloud INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "83b0ef3f238b14d646b97db39adf7951", "payload_hash": "4537fb81b778d6eb2d4cecf7147ac1ef", "path_pattern_hash": "42d9ce94220f3556e4697e91801b50c3" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 50 }, "payload_preview": "HEAD \/web-console\/ServerInfo.jsp HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: tex", "method": "HEAD", "path": "\/web-console\/ServerInfo.jsp", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/20100101 Firefox\/31.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "HEAD \/web-console\/ServerInfo.jsp HTTP\/1.1", "request_sample": "HEAD \/web-console\/ServerInfo.jsp HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/201", "payload_snippet": "HEAD \/web-console\/ServerInfo.jsp HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: tex", "evidence": { "method": "HEAD", "path": "\/web-console\/ServerInfo.jsp", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/20100101 Firefox\/31.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "HEAD \/web-console\/ServerInfo.jsp HTTP\/1.1", "request_sample": "HEAD \/web-console\/ServerInfo.jsp HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/201", "payload_snippet": "HEAD \/web-console\/ServerInfo.jsp HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: tex", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d5a5cd9355d9eacc0079d8e5d80887f950a1d967", "protocol_details": { "http_method": "HEAD", "http_path": "\/web-console\/ServerInfo.jsp", "request_line": "HEAD \/web-console\/ServerInfo.jsp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/20100101 Firefox\/31.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "HEAD \/web-console\/ServerInfo.jsp HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: tex", "attack_vector": "xss attack \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web-console\/ServerInfo.jsp", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 50 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 50, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0284" ], "tags_summary_labels_fr": [ "pat-0284" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "HEAD", "http_path": "\/web-console\/ServerInfo.jsp", "request_line": "HEAD \/web-console\/ServerInfo.jsp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/20100101 Firefox\/31.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "xss attack \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web-console\/ServerInfo.jsp", "evidence_snippet": "HEAD \/web-console\/ServerInfo.jsp HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: tex", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
18/06/2026 08:57:16 UTC	TCP	8080 · HTTP	http	Cross-site scripting xss attack · via HTTP:8080 · (tentative d'exploit) · → /invoker/JMXInvokerServlet	Élevée	Moyen · 50
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole HEAD /invoker/JMXInvokerServlet UA Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Fir… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP HEAD /invoker/JMXInvokerServlet TLS SNI — Capteur paris-1
Preuve / Evidence Méthode HEAD Port 8080 Chemin / cible /invoker/JMXInvokerServlet Service HTTP Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 50 Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0284 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 Probe /invoker/ Ligne de requête `HEAD /invoker/JMXInvokerServlet HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 Règles WAF rce-0 nosqli-3 Payload (extrait) HEAD /invoker/JMXInvokerServlet HTTP/1.1 Host: 62.3.50.33:8080 Accept-Encoding: identity Connection: keep-alive Accept: text Requête brute (extrait) HEAD /invoker/JMXInvokerServlet HTTP/1.1 Host: 62.3.50.33:8080 Accept-Encoding: identity Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/2010 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "7e59df8b3d2e55069406031c25610a99ac9401fa", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "a0f436ae702536d2155011dd94871c6ca281a3ef", "http_referer_hash": null, "http_method": "HEAD", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 277, "payload_entropy": 5.452349137861253, "port_category": "registered", "org": "cognetcloud INC", "service": "http", "app_proto": "http", "asn": 401701, "country": "HK", "dst_port": 8080, "risk_waf": 84, "risk_classification": 68, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 50, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f24aa19b861b9f57d88ee4561751cd3e6d0a2752", "event_fingerprint": "4831e03765da48a6458fbf2af91e553b45d81d4b", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "pat-0284" ], "kb_rule_ids": [ "pat-0284" ], "matched_patterns": [ "pat-0284", "pat-0261" ], "matched_pattern_names": [ "CRS 941130", "Probe \/invoker\/" ], "pattern_ids": [ "pat-0284", "pat-0261" ], "confidence_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 401701, "org": "cognetcloud INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "83b0ef3f238b14d646b97db39adf7951", "payload_hash": "a965755411f282f236eee0cf0ed51e0c", "path_pattern_hash": "73bc8535070d1c1552278dd98ea94c03" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 50 }, "payload_preview": "HEAD \/invoker\/JMXInvokerServlet HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: text", "method": "HEAD", "path": "\/invoker\/JMXInvokerServlet", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/20100101 Firefox\/31.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "HEAD \/invoker\/JMXInvokerServlet HTTP\/1.1", "request_sample": "HEAD \/invoker\/JMXInvokerServlet HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/2010", "payload_snippet": "HEAD \/invoker\/JMXInvokerServlet HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: text", "evidence": { "method": "HEAD", "path": "\/invoker\/JMXInvokerServlet", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/20100101 Firefox\/31.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "HEAD \/invoker\/JMXInvokerServlet HTTP\/1.1", "request_sample": "HEAD \/invoker\/JMXInvokerServlet HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/2010", "payload_snippet": "HEAD \/invoker\/JMXInvokerServlet HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: text", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8835ac54a1a4781ce3d2280ebd7853a5bb9f9a5d", "protocol_details": { "http_method": "HEAD", "http_path": "\/invoker\/JMXInvokerServlet", "request_line": "HEAD \/invoker\/JMXInvokerServlet HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/20100101 Firefox\/31.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "HEAD \/invoker\/JMXInvokerServlet HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: text", "attack_vector": "xss attack \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/invoker\/JMXInvokerServlet", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 50 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 50, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0284" ], "tags_summary_labels_fr": [ "pat-0284" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "HEAD", "http_path": "\/invoker\/JMXInvokerServlet", "request_line": "HEAD \/invoker\/JMXInvokerServlet HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/20100101 Firefox\/31.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "xss attack \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/invoker\/JMXInvokerServlet", "evidence_snippet": "HEAD \/invoker\/JMXInvokerServlet HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: text", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
18/06/2026 08:57:13 UTC	TCP	8080 · HTTP	http	Cross-site scripting xss attack · via HTTP:8080 · (tentative d'exploit) · → /jmx-console/HtmlAdaptor	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole HEAD /jmx-console/HtmlAdaptor UA Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Fir… Émulateur HTTP WAF 28 Recommandation Investiguer Tags 950325:rce-0 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP HEAD /jmx-console/HtmlAdaptor TLS SNI — Capteur paris-1
Preuve / Evidence Méthode HEAD Port 8080 Chemin / cible /jmx-console/HtmlAdaptor Service HTTP Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 56 Confiance : Confiance 59 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux pat-0284 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 Probe /jmx-console/ Ligne de requête `HEAD /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 Règles WAF rce-0 nosqli-3 Payload (extrait) HEAD /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo HTTP/1.1 Host: 62.3.50.33:8080 Accept-Enco Requête brute (extrait) HEAD /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo HTTP/1.1 Host: 62.3.50.33:8080 Accept-Encoding: identity Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Moz Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "7e59df8b3d2e55069406031c25610a99ac9401fa", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "013635062b4e80d82c3a6aa876007ad7204b7bf2", "http_referer_hash": null, "http_method": "HEAD", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 329, "payload_entropy": 5.454574354848821, "port_category": "registered", "org": "cognetcloud INC", "service": "http", "app_proto": "http", "asn": 401701, "country": "HK", "dst_port": 8080, "risk_waf": 100, "risk_classification": 68, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 100, "classification": 68, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 30 }, "risk_score": 56, "tag_count": 6, "anomaly_count": 1, "campaign_key": "65811ec5bc9cb567f9c30db6be378242f49286c5", "event_fingerprint": "8546834efc8340ad588b45d869c0c8783fded7a9", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "pat-0284" ], "kb_rule_ids": [ "pat-0284" ], "matched_patterns": [ "pat-0284", "pat-0264" ], "matched_pattern_names": [ "CRS 941130", "Probe \/jmx-console\/" ], "pattern_ids": [ "pat-0284", "pat-0264" ], "confidence_breakdown": { "waf": 100, "classification": 68, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 30, "risk_score": 56 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 401701, "org": "cognetcloud INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "83b0ef3f238b14d646b97db39adf7951", "payload_hash": "d616a77c7aced22c5b6ac7cca82a7ea3", "path_pattern_hash": "e30bdfb95090db3d5f15ae42262b5b47" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "HEAD \/jmx-console\/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Enco", "method": "HEAD", "path": "\/jmx-console\/HtmlAdaptor", "query_string": "action=inspectMBean&name=jboss.system:type=ServerInfo", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/20100101 Firefox\/31.0", "waf_tags": [ "950325:rce-0", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "HEAD \/jmx-console\/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo HTTP\/1.1", "request_sample": "HEAD \/jmx-console\/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nUser-Agent: Moz", "payload_snippet": "HEAD \/jmx-console\/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Enco", "evidence": { "method": "HEAD", "path": "\/jmx-console\/HtmlAdaptor", "query_string": "action=inspectMBean&name=jboss.system:type=ServerInfo", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/20100101 Firefox\/31.0", "waf_tags": [ "950325:rce-0", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "HEAD \/jmx-console\/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo HTTP\/1.1", "request_sample": "HEAD \/jmx-console\/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nUser-Agent: Moz", "payload_snippet": "HEAD \/jmx-console\/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Enco", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5b740c9a251b49dbe9fb04b025e2de91fbe6f099", "protocol_details": { "http_method": "HEAD", "http_path": "\/jmx-console\/HtmlAdaptor", "request_line": "HEAD \/jmx-console\/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/20100101 Firefox\/31.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "HEAD \/jmx-console\/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Enco", "attack_vector": "xss attack \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/jmx-console\/HtmlAdaptor", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 68, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 30, "risk_score": 56 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0284" ], "tags_summary_labels_fr": [ "pat-0284" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "HEAD", "http_path": "\/jmx-console\/HtmlAdaptor", "request_line": "HEAD \/jmx-console\/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/20100101 Firefox\/31.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "xss attack \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/jmx-console\/HtmlAdaptor", "evidence_snippet": "HEAD \/jmx-console\/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Enco", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "anomaly:high-entropy-query", "net_web_probe" ] }
18/06/2026 08:57:10 UTC	TCP	8080 · HTTP	http	Cross-site scripting xss attack · via HTTP:8080 · (tentative d'exploit) · → /invoker/EJBInvokerServlet	Élevée	Moyen · 50
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole HEAD /invoker/EJBInvokerServlet UA Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Fir… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP HEAD /invoker/EJBInvokerServlet TLS SNI — Capteur paris-1
Preuve / Evidence Méthode HEAD Port 8080 Chemin / cible /invoker/EJBInvokerServlet Service HTTP Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 50 Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0284 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 Probe /invoker/ Ligne de requête `HEAD /invoker/EJBInvokerServlet HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 Règles WAF rce-0 nosqli-3 Payload (extrait) HEAD /invoker/EJBInvokerServlet HTTP/1.1 Host: 62.3.50.33:8080 Accept-Encoding: identity Connection: keep-alive Accept: text Requête brute (extrait) HEAD /invoker/EJBInvokerServlet HTTP/1.1 Host: 62.3.50.33:8080 Accept-Encoding: identity Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/2010 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "7e59df8b3d2e55069406031c25610a99ac9401fa", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "ea4e20a4880fb4884e30ac773351ee5e99833de8", "http_referer_hash": null, "http_method": "HEAD", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 277, "payload_entropy": 5.449623912221673, "port_category": "registered", "org": "cognetcloud INC", "service": "http", "app_proto": "http", "asn": 401701, "country": "HK", "dst_port": 8080, "risk_waf": 84, "risk_classification": 68, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 50, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f24aa19b861b9f57d88ee4561751cd3e6d0a2752", "event_fingerprint": "c03132dfb03352999a96aa7a484eaf1aff822496", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "pat-0284" ], "kb_rule_ids": [ "pat-0284" ], "matched_patterns": [ "pat-0284", "pat-0261" ], "matched_pattern_names": [ "CRS 941130", "Probe \/invoker\/" ], "pattern_ids": [ "pat-0284", "pat-0261" ], "confidence_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 401701, "org": "cognetcloud INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "83b0ef3f238b14d646b97db39adf7951", "payload_hash": "2afe863b741349bbb9e2487e454b8663", "path_pattern_hash": "ca72b18d705a22beb641f32472b2a0d1" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 50 }, "payload_preview": "HEAD \/invoker\/EJBInvokerServlet HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: text", "method": "HEAD", "path": "\/invoker\/EJBInvokerServlet", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/20100101 Firefox\/31.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "HEAD \/invoker\/EJBInvokerServlet HTTP\/1.1", "request_sample": "HEAD \/invoker\/EJBInvokerServlet HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/2010", "payload_snippet": "HEAD \/invoker\/EJBInvokerServlet HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: text", "evidence": { "method": "HEAD", "path": "\/invoker\/EJBInvokerServlet", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/20100101 Firefox\/31.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "HEAD \/invoker\/EJBInvokerServlet HTTP\/1.1", "request_sample": "HEAD \/invoker\/EJBInvokerServlet HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/2010", "payload_snippet": "HEAD \/invoker\/EJBInvokerServlet HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: text", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2eb8f511b51d9627016fd6ba13a806669c57c0a6", "protocol_details": { "http_method": "HEAD", "http_path": "\/invoker\/EJBInvokerServlet", "request_line": "HEAD \/invoker\/EJBInvokerServlet HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/20100101 Firefox\/31.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "HEAD \/invoker\/EJBInvokerServlet HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: text", "attack_vector": "xss attack \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/invoker\/EJBInvokerServlet", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 50 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 50, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0284" ], "tags_summary_labels_fr": [ "pat-0284" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "HEAD", "http_path": "\/invoker\/EJBInvokerServlet", "request_line": "HEAD \/invoker\/EJBInvokerServlet HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/20100101 Firefox\/31.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "xss attack \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/invoker\/EJBInvokerServlet", "evidence_snippet": "HEAD \/invoker\/EJBInvokerServlet HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nAccept-Encoding: identity\r\nConnection: keep-alive\r\nAccept: text", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

38.76.165.207

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

38.76.165.207

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence