{"ip":"45.148.10.147","exported_at":"2026-07-19T00:09:10+00:00","period_days":30,"metrics":{"events7d":115,"distinct_ports":1,"distinct_classifications":1,"max_severity":6,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":50,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["scanner"],"recommended_action":"investigate","confidence":1,"risk_breakdown":{"waf":8,"classification":50,"behavior":0,"geo":0,"protocol":36,"novelty":25},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"T1046","top_mitre_technique":"T1046","top_mitre_count":115,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":50,"behavior":0,"geo":0,"protocol":36,"novelty":25,"risk_score":50},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":100,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["Client SSH libssh\/paramiko (scanner)","pat-0389","pat-0391","Upstream"],"tags_summary":["INT-ssh-libssh-ua","pat-0389","pat-0391","INT-upstream"],"attack_vector":"Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)","protocol_details":{"ssh_banner":"SSH-2.0-PUTTY\r\n\u0000\u0000\u0005|\u0005\u0014u\ufffd\u0011\u0015\ufffd@\ufffd%da\ufffd\ufffdyD\ufffd\ufffd\u0000\u0000\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec","payload_preview":"SSH-2.0-PUTTY\r\n\u0000\u0000\u0005|\u0005\u0014u\ufffd\u0011\u0015\ufffd@\ufffd%da\ufffd\ufffdyD\ufffd\ufffd\u0000\u0000\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec","port":22,"service":"ssh","service_label_fr":"SSH"},"protocol_summary_fr":"SSH: SSH-2.0-PUTTY\r\n\u0000\u0000\u0005|\u0005\u0014u\ufffd\u0011\u0015\ufffd@\ufffd%da\ufffd\ufffdyD\ufffd\ufffd\u0000\u0000\u0001hcurve25519-sha256,curve25519-sha256@li\u2026 \u00b7 Payload SSH-2.0-PUTTY\r\n\u0000\u0000\u0005|\u0005\u0014u\ufffd\u0011\u0015\ufffd@\ufffd%da\ufffd\ufffdyD\ufffd\ufffd\u0000\u0000\u0001hcurve25519-sha256,curv\u2026 \u00b7 SSH:22","evidence_snippet":"SSH-2.0-PUTTY\r\n|u\ufffd\ufffd@\ufffd%da\ufffd\ufffdyD\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec","target_port_label":"22 \u00b7 SSH","emulator_service":"ssh","confidence_reason":"Confiance 100 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%","classification_reason_label_fr":"Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 8","payload_preview":"SSH-2.0-PUTTY\r\n|u\ufffd\ufffd@\ufffd%da\ufffd\ufffdyD\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec"},"events":[{"id":12810656,"ip":"45.148.10.147","ts":"2026-07-18 21:33:45.000000","proto":"tcp","src_port":48150,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.836673012647046, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225c752b90e700ad69300f2cf300e3a11e\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014u\ufffd\\u0011\\u0015\ufffd@\ufffd%da\ufffd\ufffdyD\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014u\ufffd\\u0011\\u0015\ufffd@\ufffd%da\ufffd\ufffdyD\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014u\ufffd\\u0011\\u0015\ufffd@\ufffd%da\ufffd\ufffdyD\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014u\ufffd\\u0011\\u0015\ufffd@\ufffd%da\ufffd\ufffdyD\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014u\ufffd\\u0011\\u0015\ufffd@\ufffd%da\ufffd\ufffdyD\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a277080fef148b26af222f604eb403e23a174ee8\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014u\ufffd\\u0011\\u0015\ufffd@\ufffd%da\ufffd\ufffdyD\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014u\ufffd\\u0011\\u0015\ufffd@\ufffd%da\ufffd\ufffdyD\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|u\ufffd\ufffd@\ufffd%da\ufffd\ufffdyD\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014u\ufffd\\u0011\\u0015\ufffd@\ufffd%da\ufffd\ufffdyD\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014u\ufffd\\u0011\\u0015\ufffd@\ufffd%da\ufffd\ufffdyD\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|u\ufffd\ufffd@\ufffd%da\ufffd\ufffdyD\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12806385,"ip":"45.148.10.147","ts":"2026-07-18 20:16:45.000000","proto":"tcp","src_port":10562,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.851551426535894, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002297cb13b494de41b13e6ce1e03c989ead\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014{?I\ufffd\ufffdE\ufffd\ufffd\u003C\\u0017^\ufffdn\u0617.\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014{?I\ufffd\ufffdE\ufffd\ufffd\u003C\\u0017^\ufffdn\u0617.\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014{?I\ufffd\ufffdE\ufffd\ufffd\u003C\\u0017^\ufffdn\u0617.\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014{?I\ufffd\ufffdE\ufffd\ufffd\u003C\\u0017^\ufffdn\u0617.\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014{?I\ufffd\ufffdE\ufffd\ufffd\u003C\\u0017^\ufffdn\u0617.\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220a8d4c3d8d226c123ec0e3eb3a49f7825a91fed6\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014{?I\ufffd\ufffdE\ufffd\ufffd\u003C\\u0017^\ufffdn\u0617.\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014{?I\ufffd\ufffdE\ufffd\ufffd\u003C\\u0017^\ufffdn\u0617.\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|{?I\ufffd\ufffdE\ufffd\ufffd\u003C^\ufffdn\u0617.hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014{?I\ufffd\ufffdE\ufffd\ufffd\u003C\\u0017^\ufffdn\u0617.\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014{?I\ufffd\ufffdE\ufffd\ufffd\u003C\\u0017^\ufffdn\u0617.\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|{?I\ufffd\ufffdE\ufffd\ufffd\u003C^\ufffdn\u0617.hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12805597,"ip":"45.148.10.147","ts":"2026-07-18 20:01:21.000000","proto":"tcp","src_port":24628,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.847968696037956, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e372b94cc593dd1d6795a86022bc545d\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdH\ufffdOP\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0001\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdH\ufffdOP\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0001\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdH\ufffdOP\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0001\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdH\ufffdOP\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0001\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdH\ufffdOP\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0001\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022474da9cdd68dd85720261cef0f7fe3a62aa22662\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdH\ufffdOP\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0001\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdH\ufffdOP\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0001\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffdH\ufffdOP\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdH\ufffdOP\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0001\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdH\ufffdOP\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0001\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffdH\ufffdOP\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12803231,"ip":"45.148.10.147","ts":"2026-07-18 19:14:36.000000","proto":"tcp","src_port":32176,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.834334308854509, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225b528cda0478ab84302c90af48a47606\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014_Bh\\u001b\ua66f\\u0000\ufffdm\ufffdz\\u0015DW6\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014_Bh\\u001b\ua66f\\u0000\ufffdm\ufffdz\\u0015DW6\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014_Bh\\u001b\ua66f\\u0000\ufffdm\ufffdz\\u0015DW6\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014_Bh\\u001b\ua66f\\u0000\ufffdm\ufffdz\\u0015DW6\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014_Bh\\u001b\ua66f\\u0000\ufffdm\ufffdz\\u0015DW6\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229a62e5b55a1dc963f1f14b8a04b86636378d51c5\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014_Bh\\u001b\ua66f\\u0000\ufffdm\ufffdz\\u0015DW6\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014_Bh\\u001b\ua66f\\u0000\ufffdm\ufffdz\\u0015DW6\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|_Bh\ua66f\ufffdm\ufffdzDW6hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014_Bh\\u001b\ua66f\\u0000\ufffdm\ufffdz\\u0015DW6\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014_Bh\\u001b\ua66f\\u0000\ufffdm\ufffdz\\u0015DW6\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|_Bh\ua66f\ufffdm\ufffdzDW6hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12785292,"ip":"45.148.10.147","ts":"2026-07-18 15:01:48.000000","proto":"tcp","src_port":15070,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.851292467746254, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002206174a84191ffb3d635a988df8a86d41\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014Z\ufffd\ufffd\ufffd\ufffd]`\\u001f\ufffd\ufffd\ufffd!9\ufffd4\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014Z\ufffd\ufffd\ufffd\ufffd]`\\u001f\ufffd\ufffd\ufffd!9\ufffd4\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014Z\ufffd\ufffd\ufffd\ufffd]`\\u001f\ufffd\ufffd\ufffd!9\ufffd4\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014Z\ufffd\ufffd\ufffd\ufffd]`\\u001f\ufffd\ufffd\ufffd!9\ufffd4\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014Z\ufffd\ufffd\ufffd\ufffd]`\\u001f\ufffd\ufffd\ufffd!9\ufffd4\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d1dec13ae2ed011dc0e08361fe5e54f0311674f4\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014Z\ufffd\ufffd\ufffd\ufffd]`\\u001f\ufffd\ufffd\ufffd!9\ufffd4\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014Z\ufffd\ufffd\ufffd\ufffd]`\\u001f\ufffd\ufffd\ufffd!9\ufffd4\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|Z\ufffd\ufffd\ufffd\ufffd]`\ufffd\ufffd\ufffd!9\ufffd4hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014Z\ufffd\ufffd\ufffd\ufffd]`\\u001f\ufffd\ufffd\ufffd!9\ufffd4\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014Z\ufffd\ufffd\ufffd\ufffd]`\\u001f\ufffd\ufffd\ufffd!9\ufffd4\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|Z\ufffd\ufffd\ufffd\ufffd]`\ufffd\ufffd\ufffd!9\ufffd4hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12784555,"ip":"45.148.10.147","ts":"2026-07-18 14:46:20.000000","proto":"tcp","src_port":2676,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.843655749483666, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002236ec28f198ffdcc914efc549ce546f71\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffdf\/,@\\u0014\ufffdz\ufffd\ufffd\\u0019\ufffdxA\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffdf\/,@\\u0014\ufffdz\ufffd\ufffd\\u0019\ufffdxA\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffdf\/,@\\u0014\ufffdz\ufffd\ufffd\\u0019\ufffdxA\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffdf\/,@\\u0014\ufffdz\ufffd\ufffd\\u0019\ufffdxA\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffdf\/,@\\u0014\ufffdz\ufffd\ufffd\\u0019\ufffdxA\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221e96c09afb5f0e79569a89ebade61206afda9e7d\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffdf\/,@\\u0014\ufffdz\ufffd\ufffd\\u0019\ufffdxA\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffdf\/,@\\u0014\ufffdz\ufffd\ufffd\\u0019\ufffdxA\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd\ufffdf\/,@\ufffdz\ufffd\ufffd\ufffdxAhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffdf\/,@\\u0014\ufffdz\ufffd\ufffd\\u0019\ufffdxA\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffdf\/,@\\u0014\ufffdz\ufffd\ufffd\\u0019\ufffdxA\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd\ufffdf\/,@\ufffdz\ufffd\ufffd\ufffdxAhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12784068,"ip":"45.148.10.147","ts":"2026-07-18 14:36:06.000000","proto":"tcp","src_port":28264,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.842895038861181, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e595c621d9d36f15e89814f19862afd7\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u000e\ufffd\ufffd\ufffd\ufffdb\\u0014\ufffd\ufffd\\u0004a\ufffd\ufffd\u047a\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u000e\ufffd\ufffd\ufffd\ufffdb\\u0014\ufffd\ufffd\\u0004a\ufffd\ufffd\u047a\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u000e\ufffd\ufffd\ufffd\ufffdb\\u0014\ufffd\ufffd\\u0004a\ufffd\ufffd\u047a\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u000e\ufffd\ufffd\ufffd\ufffdb\\u0014\ufffd\ufffd\\u0004a\ufffd\ufffd\u047a\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u000e\ufffd\ufffd\ufffd\ufffdb\\u0014\ufffd\ufffd\\u0004a\ufffd\ufffd\u047a\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229f5dc93c5926a1abf0141c6861259e16fb2a1ea4\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u000e\ufffd\ufffd\ufffd\ufffdb\\u0014\ufffd\ufffd\\u0004a\ufffd\ufffd\u047a\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u000e\ufffd\ufffd\ufffd\ufffdb\\u0014\ufffd\ufffd\\u0004a\ufffd\ufffd\u047a\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd\ufffd\ufffdb\ufffd\ufffda\ufffd\ufffd\u047a\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u000e\ufffd\ufffd\ufffd\ufffdb\\u0014\ufffd\ufffd\\u0004a\ufffd\ufffd\u047a\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u000e\ufffd\ufffd\ufffd\ufffdb\\u0014\ufffd\ufffd\\u0004a\ufffd\ufffd\u047a\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd\ufffd\ufffdb\ufffd\ufffda\ufffd\ufffd\u047a\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12782336,"ip":"45.148.10.147","ts":"2026-07-18 14:05:01.000000","proto":"tcp","src_port":35078,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.837347366118922, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222a86d21f441fa18c76c9267e57fbfe96\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd\ufffd\ufffdhF$\ufffd\\u001c3K\ufffdp\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd\ufffd\ufffdhF$\ufffd\\u001c3K\ufffdp\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd\ufffd\ufffdhF$\ufffd\\u001c3K\ufffdp\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd\ufffd\ufffdhF$\ufffd\\u001c3K\ufffdp\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd\ufffd\ufffdhF$\ufffd\\u001c3K\ufffdp\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e0c5d59c314463391661c12dc9745d454348f6df\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd\ufffd\ufffdhF$\ufffd\\u001c3K\ufffdp\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd\ufffd\ufffdhF$\ufffd\\u001c3K\ufffdp\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd\ufffd\ufffd\ufffdhF$\ufffd3K\ufffdphcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd\ufffd\ufffdhF$\ufffd\\u001c3K\ufffdp\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd\ufffd\ufffdhF$\ufffd\\u001c3K\ufffdp\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd\ufffd\ufffd\ufffdhF$\ufffd3K\ufffdphcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12778536,"ip":"45.148.10.147","ts":"2026-07-18 13:18:13.000000","proto":"tcp","src_port":49508,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.844180917653901, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e1d52b2034fc127ae928f5c9d81a5fb3\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\fG\ufffd\\u001dd\ufffd\ufffd\ufffdt\ufffd\ufffd:\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\fG\ufffd\\u001dd\ufffd\ufffd\ufffdt\ufffd\ufffd:\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\fG\ufffd\\u001dd\ufffd\ufffd\ufffdt\ufffd\ufffd:\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\fG\ufffd\\u001dd\ufffd\ufffd\ufffdt\ufffd\ufffd:\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\fG\ufffd\\u001dd\ufffd\ufffd\ufffdt\ufffd\ufffd:\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002237aec2d1b99dcde7c67669927b5e2502cc4ffb4b\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\fG\ufffd\\u001dd\ufffd\ufffd\ufffdt\ufffd\ufffd:\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\fG\ufffd\\u001dd\ufffd\ufffd\ufffdt\ufffd\ufffd:\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffdG\ufffdd\ufffd\ufffd\ufffdt\ufffd\ufffd:\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\fG\ufffd\\u001dd\ufffd\ufffd\ufffdt\ufffd\ufffd:\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\fG\ufffd\\u001dd\ufffd\ufffd\ufffdt\ufffd\ufffd:\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffdG\ufffdd\ufffd\ufffd\ufffdt\ufffd\ufffd:\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12774482,"ip":"45.148.10.147","ts":"2026-07-18 12:19:57.000000","proto":"tcp","src_port":56044,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.853429623711532, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222e0ef1361d7baf16b71279355c7eca7a\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd_K\\u001e\\\\\\n\ufffd?\\u001fw\ufffd\\u0011\ufffd\ufffds\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd_K\\u001e\\\\\\n\ufffd?\\u001fw\ufffd\\u0011\ufffd\ufffds\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd_K\\u001e\\\\\\n\ufffd?\\u001fw\ufffd\\u0011\ufffd\ufffds\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd_K\\u001e\\\\\\n\ufffd?\\u001fw\ufffd\\u0011\ufffd\ufffds\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd_K\\u001e\\\\\\n\ufffd?\\u001fw\ufffd\\u0011\ufffd\ufffds\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f002b3416accbdcd7fc47cbbf87d686c2d6463d1\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd_K\\u001e\\\\\\n\ufffd?\\u001fw\ufffd\\u0011\ufffd\ufffds\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd_K\\u001e\\\\\\n\ufffd?\\u001fw\ufffd\\u0011\ufffd\ufffds\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd_K\\\\\\n\ufffd?w\ufffd\ufffd\ufffds\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd_K\\u001e\\\\\\n\ufffd?\\u001fw\ufffd\\u0011\ufffd\ufffds\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd_K\\u001e\\\\\\n\ufffd?\\u001fw\ufffd\\u0011\ufffd\ufffds\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd_K\\\\\\n\ufffd?w\ufffd\ufffd\ufffds\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12773221,"ip":"45.148.10.147","ts":"2026-07-18 11:59:03.000000","proto":"tcp","src_port":18656,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.843442906231797, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222313181692bc2758360a052c82fa5faf\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014+xc\ufffdA\ufffdM\ufffd5\ufffd\\f(\ufffd\\u0007X\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014+xc\ufffdA\ufffdM\ufffd5\ufffd\\f(\ufffd\\u0007X\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014+xc\ufffdA\ufffdM\ufffd5\ufffd\\f(\ufffd\\u0007X\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014+xc\ufffdA\ufffdM\ufffd5\ufffd\\f(\ufffd\\u0007X\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014+xc\ufffdA\ufffdM\ufffd5\ufffd\\f(\ufffd\\u0007X\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d257c2ed155b74514afc3c84a57e691c5ba7ca2e\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014+xc\ufffdA\ufffdM\ufffd5\ufffd\\f(\ufffd\\u0007X\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014+xc\ufffdA\ufffdM\ufffd5\ufffd\\f(\ufffd\\u0007X\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|+xc\ufffdA\ufffdM\ufffd5\ufffd(\ufffdXhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014+xc\ufffdA\ufffdM\ufffd5\ufffd\\f(\ufffd\\u0007X\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014+xc\ufffdA\ufffdM\ufffd5\ufffd\\f(\ufffd\\u0007X\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|+xc\ufffdA\ufffdM\ufffd5\ufffd(\ufffdXhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12770842,"ip":"45.148.10.147","ts":"2026-07-18 11:27:46.000000","proto":"tcp","src_port":20020,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.81898545336598, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002220e1f7b2ee4507244380c41060cc759f\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u00141v\ufffdBipx\ufffd\ufffdop\ufffd\ufffd.\ufffdm\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u00141v\ufffdBipx\ufffd\ufffdop\ufffd\ufffd.\ufffdm\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u00141v\ufffdBipx\ufffd\ufffdop\ufffd\ufffd.\ufffdm\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u00141v\ufffdBipx\ufffd\ufffdop\ufffd\ufffd.\ufffdm\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u00141v\ufffdBipx\ufffd\ufffdop\ufffd\ufffd.\ufffdm\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022608f3db77cab437b28ba8f35e10f0f6e9b06b380\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u00141v\ufffdBipx\ufffd\ufffdop\ufffd\ufffd.\ufffdm\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u00141v\ufffdBipx\ufffd\ufffdop\ufffd\ufffd.\ufffdm\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|1v\ufffdBipx\ufffd\ufffdop\ufffd\ufffd.\ufffdmhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u00141v\ufffdBipx\ufffd\ufffdop\ufffd\ufffd.\ufffdm\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u00141v\ufffdBipx\ufffd\ufffdop\ufffd\ufffd.\ufffdm\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|1v\ufffdBipx\ufffd\ufffdop\ufffd\ufffd.\ufffdmhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12770420,"ip":"45.148.10.147","ts":"2026-07-18 11:22:29.000000","proto":"tcp","src_port":46314,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.829594449569868, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223e5a9391f876ceafa5d9eb7f4ed97518\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\u5ce2M;\ufffdy\ufffd\ufffd\\f\ufffd\\u0000@{t\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\u5ce2M;\ufffdy\ufffd\ufffd\\f\ufffd\\u0000@{t\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\u5ce2M;\ufffdy\ufffd\ufffd\\f\ufffd\\u0000@{t\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\u5ce2M;\ufffdy\ufffd\ufffd\\f\ufffd\\u0000@{t\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\u5ce2M;\ufffdy\ufffd\ufffd\\f\ufffd\\u0000@{t\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221e08423abd9fc6f5c0be1bb807a9dcbfec31babd\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\u5ce2M;\ufffdy\ufffd\ufffd\\f\ufffd\\u0000@{t\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\u5ce2M;\ufffdy\ufffd\ufffd\\f\ufffd\\u0000@{t\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\u5ce2M;\ufffdy\ufffd\ufffd\ufffd@{thcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\u5ce2M;\ufffdy\ufffd\ufffd\\f\ufffd\\u0000@{t\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\u5ce2M;\ufffdy\ufffd\ufffd\\f\ufffd\\u0000@{t\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\u5ce2M;\ufffdy\ufffd\ufffd\ufffd@{thcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12747406,"ip":"45.148.10.147","ts":"2026-07-18 10:30:32.000000","proto":"tcp","src_port":62268,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.832227025843287, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002210d594e9bf8b10f5724f9225d398bacc\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014,\ufffd\\u000b\\u000e\ufffd\u0026\ufffd\\nD\ufffdf\ufffdk%-y\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014,\ufffd\\u000b\\u000e\ufffd\u0026\ufffd\\nD\ufffdf\ufffdk%-y\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014,\ufffd\\u000b\\u000e\ufffd\u0026\ufffd\\nD\ufffdf\ufffdk%-y\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014,\ufffd\\u000b\\u000e\ufffd\u0026\ufffd\\nD\ufffdf\ufffdk%-y\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014,\ufffd\\u000b\\u000e\ufffd\u0026\ufffd\\nD\ufffdf\ufffdk%-y\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225c7cd0194fc95c874e02e678545edd73eb044be2\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014,\ufffd\\u000b\\u000e\ufffd\u0026\ufffd\\nD\ufffdf\ufffdk%-y\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014,\ufffd\\u000b\\u000e\ufffd\u0026\ufffd\\nD\ufffdf\ufffdk%-y\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|,\ufffd\ufffd\u0026\ufffd\\nD\ufffdf\ufffdk%-yhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014,\ufffd\\u000b\\u000e\ufffd\u0026\ufffd\\nD\ufffdf\ufffdk%-y\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014,\ufffd\\u000b\\u000e\ufffd\u0026\ufffd\\nD\ufffdf\ufffdk%-y\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|,\ufffd\ufffd\u0026\ufffd\\nD\ufffdf\ufffdk%-yhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12727853,"ip":"45.148.10.147","ts":"2026-07-18 06:07:39.000000","proto":"tcp","src_port":31436,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.84398948189363, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002257726f9a1e831584d989a829c880338a\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014!\\u0016758\\u000e\ufffd\ufffd\ufffd\\u0019\\u0001\ufffd\u0381\\n\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014!\\u0016758\\u000e\ufffd\ufffd\ufffd\\u0019\\u0001\ufffd\u0381\\n\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014!\\u0016758\\u000e\ufffd\ufffd\ufffd\\u0019\\u0001\ufffd\u0381\\n\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014!\\u0016758\\u000e\ufffd\ufffd\ufffd\\u0019\\u0001\ufffd\u0381\\n\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014!\\u0016758\\u000e\ufffd\ufffd\ufffd\\u0019\\u0001\ufffd\u0381\\n\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229c24a6714fb12ca7d2dc8a37d6e52c5445f029bd\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014!\\u0016758\\u000e\ufffd\ufffd\ufffd\\u0019\\u0001\ufffd\u0381\\n\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014!\\u0016758\\u000e\ufffd\ufffd\ufffd\\u0019\\u0001\ufffd\u0381\\n\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|!758\ufffd\ufffd\ufffd\ufffd\u0381\\n\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014!\\u0016758\\u000e\ufffd\ufffd\ufffd\\u0019\\u0001\ufffd\u0381\\n\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014!\\u0016758\\u000e\ufffd\ufffd\ufffd\\u0019\\u0001\ufffd\u0381\\n\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|!758\ufffd\ufffd\ufffd\ufffd\u0381\\n\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12724828,"ip":"45.148.10.147","ts":"2026-07-18 05:31:10.000000","proto":"tcp","src_port":35682,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.843625408793481, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226e50a78add832d817408aaa3125bf6e7\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdS\\u0016\ufffd\ufffd\\u001c\ufffdH6;\ufffd\u0701e\ufffd\\u0002\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdS\\u0016\ufffd\ufffd\\u001c\ufffdH6;\ufffd\u0701e\ufffd\\u0002\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdS\\u0016\ufffd\ufffd\\u001c\ufffdH6;\ufffd\u0701e\ufffd\\u0002\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdS\\u0016\ufffd\ufffd\\u001c\ufffdH6;\ufffd\u0701e\ufffd\\u0002\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdS\\u0016\ufffd\ufffd\\u001c\ufffdH6;\ufffd\u0701e\ufffd\\u0002\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229d6cfd6fd401ac1b7c50020f74cd0898e1f388c4\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdS\\u0016\ufffd\ufffd\\u001c\ufffdH6;\ufffd\u0701e\ufffd\\u0002\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdS\\u0016\ufffd\ufffd\\u001c\ufffdH6;\ufffd\u0701e\ufffd\\u0002\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffdS\ufffd\ufffd\ufffdH6;\ufffd\u0701e\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdS\\u0016\ufffd\ufffd\\u001c\ufffdH6;\ufffd\u0701e\ufffd\\u0002\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdS\\u0016\ufffd\ufffd\\u001c\ufffdH6;\ufffd\u0701e\ufffd\\u0002\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffdS\ufffd\ufffd\ufffdH6;\ufffd\u0701e\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12720221,"ip":"45.148.10.147","ts":"2026-07-18 04:28:14.000000","proto":"tcp","src_port":12956,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.8514112179817275, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ec939d35b5281449a22c025988f576c2\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdW:K\\u0011\\u000ba\ufffd\ufffd\ufffd\u036b!\ufffd{\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdW:K\\u0011\\u000ba\ufffd\ufffd\ufffd\u036b!\ufffd{\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdW:K\\u0011\\u000ba\ufffd\ufffd\ufffd\u036b!\ufffd{\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdW:K\\u0011\\u000ba\ufffd\ufffd\ufffd\u036b!\ufffd{\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdW:K\\u0011\\u000ba\ufffd\ufffd\ufffd\u036b!\ufffd{\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f0d8a567f89bcb501608939d80c2bbad536e87e0\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdW:K\\u0011\\u000ba\ufffd\ufffd\ufffd\u036b!\ufffd{\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdW:K\\u0011\\u000ba\ufffd\ufffd\ufffd\u036b!\ufffd{\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffdW:Ka\ufffd\ufffd\ufffd\u036b!\ufffd{hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdW:K\\u0011\\u000ba\ufffd\ufffd\ufffd\u036b!\ufffd{\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdW:K\\u0011\\u000ba\ufffd\ufffd\ufffd\u036b!\ufffd{\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffdW:Ka\ufffd\ufffd\ufffd\u036b!\ufffd{hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12719577,"ip":"45.148.10.147","ts":"2026-07-18 04:17:37.000000","proto":"tcp","src_port":36428,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.850707895526155, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f721320eda5299158ab695c7c39ae59b\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdH\ufffd\ufffd\\u0016\ufffd\ufffd\ufffdf\ufffd\ufffd\u05b4K\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdH\ufffd\ufffd\\u0016\ufffd\ufffd\ufffdf\ufffd\ufffd\u05b4K\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdH\ufffd\ufffd\\u0016\ufffd\ufffd\ufffdf\ufffd\ufffd\u05b4K\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdH\ufffd\ufffd\\u0016\ufffd\ufffd\ufffdf\ufffd\ufffd\u05b4K\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdH\ufffd\ufffd\\u0016\ufffd\ufffd\ufffdf\ufffd\ufffd\u05b4K\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c66a090551f449a1c56d3b1812f31ee63505e2e2\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdH\ufffd\ufffd\\u0016\ufffd\ufffd\ufffdf\ufffd\ufffd\u05b4K\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdH\ufffd\ufffd\\u0016\ufffd\ufffd\ufffdf\ufffd\ufffd\u05b4K\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffdH\ufffd\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffd\u05b4K\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdH\ufffd\ufffd\\u0016\ufffd\ufffd\ufffdf\ufffd\ufffd\u05b4K\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdH\ufffd\ufffd\\u0016\ufffd\ufffd\ufffdf\ufffd\ufffd\u05b4K\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffdH\ufffd\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffd\u05b4K\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12717031,"ip":"45.148.10.147","ts":"2026-07-18 03:41:38.000000","proto":"tcp","src_port":48542,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.845131432952275, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c8629b731872eaa7bf4e38a3dedcaed8\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014o\ufffd\\u0007\ufffdUj3\ufffd\ufffd\ufffdR]E;Ty\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014o\ufffd\\u0007\ufffdUj3\ufffd\ufffd\ufffdR]E;Ty\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014o\ufffd\\u0007\ufffdUj3\ufffd\ufffd\ufffdR]E;Ty\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014o\ufffd\\u0007\ufffdUj3\ufffd\ufffd\ufffdR]E;Ty\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014o\ufffd\\u0007\ufffdUj3\ufffd\ufffd\ufffdR]E;Ty\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eb04c4affc37aeecabfe46da5f52df1458f56b49\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014o\ufffd\\u0007\ufffdUj3\ufffd\ufffd\ufffdR]E;Ty\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014o\ufffd\\u0007\ufffdUj3\ufffd\ufffd\ufffdR]E;Ty\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|o\ufffd\ufffdUj3\ufffd\ufffd\ufffdR]E;Tyhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014o\ufffd\\u0007\ufffdUj3\ufffd\ufffd\ufffdR]E;Ty\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014o\ufffd\\u0007\ufffdUj3\ufffd\ufffd\ufffdR]E;Ty\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|o\ufffd\ufffdUj3\ufffd\ufffd\ufffdR]E;Tyhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12716698,"ip":"45.148.10.147","ts":"2026-07-18 03:36:27.000000","proto":"tcp","src_port":27792,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.841460049882632, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022081381109b10f183e55cfa54cbf08166\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\u0015\ufffd\ufffd\ufffd\ufffd\ufffd\u003C+\\u001e\u0771\ufffd\\u0001\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\u0015\ufffd\ufffd\ufffd\ufffd\ufffd\u003C+\\u001e\u0771\ufffd\\u0001\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\u0015\ufffd\ufffd\ufffd\ufffd\ufffd\u003C+\\u001e\u0771\ufffd\\u0001\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\u0015\ufffd\ufffd\ufffd\ufffd\ufffd\u003C+\\u001e\u0771\ufffd\\u0001\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\u0015\ufffd\ufffd\ufffd\ufffd\ufffd\u003C+\\u001e\u0771\ufffd\\u0001\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225d36157c2668e0aee84ee48ca71c3759b15878d0\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\u0015\ufffd\ufffd\ufffd\ufffd\ufffd\u003C+\\u001e\u0771\ufffd\\u0001\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\u0015\ufffd\ufffd\ufffd\ufffd\ufffd\u003C+\\u001e\u0771\ufffd\\u0001\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003C+\u0771\ufffd\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\u0015\ufffd\ufffd\ufffd\ufffd\ufffd\u003C+\\u001e\u0771\ufffd\\u0001\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\u0015\ufffd\ufffd\ufffd\ufffd\ufffd\u003C+\\u001e\u0771\ufffd\\u0001\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003C+\u0771\ufffd\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12713102,"ip":"45.148.10.147","ts":"2026-07-18 02:39:14.000000","proto":"tcp","src_port":29736,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.857430627539667, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002203974bf20c033d1d2fd7e4c83dd442fe\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014#\ufffd\ufffd\u003EF\ufffdI\ufffdX{\ufffd\/T\\u0006\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014#\ufffd\ufffd\u003EF\ufffdI\ufffdX{\ufffd\/T\\u0006\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014#\ufffd\ufffd\u003EF\ufffdI\ufffdX{\ufffd\/T\\u0006\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014#\ufffd\ufffd\u003EF\ufffdI\ufffdX{\ufffd\/T\\u0006\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014#\ufffd\ufffd\u003EF\ufffdI\ufffdX{\ufffd\/T\\u0006\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eb86ef2e45df8f10e3a6077740e99c36cd66a45c\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014#\ufffd\ufffd\u003EF\ufffdI\ufffdX{\ufffd\/T\\u0006\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014#\ufffd\ufffd\u003EF\ufffdI\ufffdX{\ufffd\/T\\u0006\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|#\ufffd\ufffd\u003EF\ufffdI\ufffdX{\ufffd\/T\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014#\ufffd\ufffd\u003EF\ufffdI\ufffdX{\ufffd\/T\\u0006\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014#\ufffd\ufffd\u003EF\ufffdI\ufffdX{\ufffd\/T\\u0006\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|#\ufffd\ufffd\u003EF\ufffdI\ufffdX{\ufffd\/T\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12711992,"ip":"45.148.10.147","ts":"2026-07-18 02:23:31.000000","proto":"tcp","src_port":39638,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.860772080457562, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002234d9962327104dc781c421aa197509c6\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014D\ufffd\ufffdI?\ufffd\ufffd\ufffd\u003C\u021d\ufffd\ufffd\\f_\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014D\ufffd\ufffdI?\ufffd\ufffd\ufffd\u003C\u021d\ufffd\ufffd\\f_\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014D\ufffd\ufffdI?\ufffd\ufffd\ufffd\u003C\u021d\ufffd\ufffd\\f_\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014D\ufffd\ufffdI?\ufffd\ufffd\ufffd\u003C\u021d\ufffd\ufffd\\f_\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014D\ufffd\ufffdI?\ufffd\ufffd\ufffd\u003C\u021d\ufffd\ufffd\\f_\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221dcfd3b4d82fd0e4a754dd280d47b2231f8f8dcc\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014D\ufffd\ufffdI?\ufffd\ufffd\ufffd\u003C\u021d\ufffd\ufffd\\f_\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014D\ufffd\ufffdI?\ufffd\ufffd\ufffd\u003C\u021d\ufffd\ufffd\\f_\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|D\ufffd\ufffdI?\ufffd\ufffd\ufffd\u003C\u021d\ufffd\ufffd_hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014D\ufffd\ufffdI?\ufffd\ufffd\ufffd\u003C\u021d\ufffd\ufffd\\f_\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014D\ufffd\ufffdI?\ufffd\ufffd\ufffd\u003C\u021d\ufffd\ufffd\\f_\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|D\ufffd\ufffdI?\ufffd\ufffd\ufffd\u003C\u021d\ufffd\ufffd_hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12706461,"ip":"45.148.10.147","ts":"2026-07-18 01:03:27.000000","proto":"tcp","src_port":30644,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.848403582186032, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022881378cdaed8955ff8a4bc853377cbd8\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdw\ufffdd8\ufffd*u}\\t\ufffd\ufffd\\u0017\ufffdI\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdw\ufffdd8\ufffd*u}\\t\ufffd\ufffd\\u0017\ufffdI\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdw\ufffdd8\ufffd*u}\\t\ufffd\ufffd\\u0017\ufffdI\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdw\ufffdd8\ufffd*u}\\t\ufffd\ufffd\\u0017\ufffdI\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdw\ufffdd8\ufffd*u}\\t\ufffd\ufffd\\u0017\ufffdI\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002274db0973a4a76356c23a74223b4b1c75c9072098\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdw\ufffdd8\ufffd*u}\\t\ufffd\ufffd\\u0017\ufffdI\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdw\ufffdd8\ufffd*u}\\t\ufffd\ufffd\\u0017\ufffdI\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffdw\ufffdd8\ufffd*u}\\t\ufffd\ufffd\ufffdIhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdw\ufffdd8\ufffd*u}\\t\ufffd\ufffd\\u0017\ufffdI\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffdw\ufffdd8\ufffd*u}\\t\ufffd\ufffd\\u0017\ufffdI\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffdw\ufffdd8\ufffd*u}\\t\ufffd\ufffd\ufffdIhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12695165,"ip":"45.148.10.147","ts":"2026-07-17 22:00:35.000000","proto":"tcp","src_port":55648,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.855641799343492, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f8b5548d9fe0bf9e2a896ee9732d5eab\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\/\ufffd+\ufffd\\u0006\ufffd\ufffd\ufffdM\ufffd\u027fX0\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\/\ufffd+\ufffd\\u0006\ufffd\ufffd\ufffdM\ufffd\u027fX0\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\/\ufffd+\ufffd\\u0006\ufffd\ufffd\ufffdM\ufffd\u027fX0\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\/\ufffd+\ufffd\\u0006\ufffd\ufffd\ufffdM\ufffd\u027fX0\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\/\ufffd+\ufffd\\u0006\ufffd\ufffd\ufffdM\ufffd\u027fX0\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eafce151f0ccfb2b260948f2f0bfbb0f10771363\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\/\ufffd+\ufffd\\u0006\ufffd\ufffd\ufffdM\ufffd\u027fX0\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\/\ufffd+\ufffd\\u0006\ufffd\ufffd\ufffdM\ufffd\u027fX0\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\/\ufffd+\ufffd\ufffd\ufffd\ufffdM\ufffd\u027fX0\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\/\ufffd+\ufffd\\u0006\ufffd\ufffd\ufffdM\ufffd\u027fX0\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\/\ufffd+\ufffd\\u0006\ufffd\ufffd\ufffdM\ufffd\u027fX0\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\/\ufffd+\ufffd\ufffd\ufffd\ufffdM\ufffd\u027fX0\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12680051,"ip":"45.148.10.147","ts":"2026-07-17 18:10:39.000000","proto":"tcp","src_port":6056,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.835736705304054, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002279c26ffbecff1690434aa090440a4e5b\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014h[\\t\\u000f\ufffd2#\ufffd\ufffd\ufffdg\ufffd\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014h[\\t\\u000f\ufffd2#\ufffd\ufffd\ufffdg\ufffd\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014h[\\t\\u000f\ufffd2#\ufffd\ufffd\ufffdg\ufffd\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014h[\\t\\u000f\ufffd2#\ufffd\ufffd\ufffdg\ufffd\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014h[\\t\\u000f\ufffd2#\ufffd\ufffd\ufffdg\ufffd\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222c48e34956c60f7278c4ef3beec2a23a31e160c3\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014h[\\t\\u000f\ufffd2#\ufffd\ufffd\ufffdg\ufffd\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014h[\\t\\u000f\ufffd2#\ufffd\ufffd\ufffdg\ufffd\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|h[\\t\ufffd2#\ufffd\ufffd\ufffdg\ufffd\ufffd\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014h[\\t\\u000f\ufffd2#\ufffd\ufffd\ufffdg\ufffd\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014h[\\t\\u000f\ufffd2#\ufffd\ufffd\ufffdg\ufffd\\u0001\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|h[\\t\ufffd2#\ufffd\ufffd\ufffdg\ufffd\ufffd\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12679615,"ip":"45.148.10.147","ts":"2026-07-17 18:04:52.000000","proto":"tcp","src_port":30900,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.846723020619101, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228a5859dd3011dd5ed5cc71e262676b5f\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u0017\ufffd+\ufffd\ufffd\/,P\ufffdhj\u0620\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u0017\ufffd+\ufffd\ufffd\/,P\ufffdhj\u0620\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u0017\ufffd+\ufffd\ufffd\/,P\ufffdhj\u0620\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u0017\ufffd+\ufffd\ufffd\/,P\ufffdhj\u0620\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u0017\ufffd+\ufffd\ufffd\/,P\ufffdhj\u0620\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002242dd9ccd3ce4db41294fa9596f681d5036b080de\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u0017\ufffd+\ufffd\ufffd\/,P\ufffdhj\u0620\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u0017\ufffd+\ufffd\ufffd\/,P\ufffdhj\u0620\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd+\ufffd\ufffd\/,P\ufffdhj\u0620\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u0017\ufffd+\ufffd\ufffd\/,P\ufffdhj\u0620\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u0017\ufffd+\ufffd\ufffd\/,P\ufffdhj\u0620\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd+\ufffd\ufffd\/,P\ufffdhj\u0620\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12678654,"ip":"45.148.10.147","ts":"2026-07-17 17:49:06.000000","proto":"tcp","src_port":45726,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.840320458402409, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a51e3d0a2d0320e16d57d3ec8c5de7e5\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd]\ufffd#Gs\ufffd\ufffd\u038f\\\u0022\ufffd\ufffd-\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd]\ufffd#Gs\ufffd\ufffd\u038f\\\u0022\ufffd\ufffd-\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd]\ufffd#Gs\ufffd\ufffd\u038f\\\u0022\ufffd\ufffd-\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd]\ufffd#Gs\ufffd\ufffd\u038f\\\u0022\ufffd\ufffd-\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd]\ufffd#Gs\ufffd\ufffd\u038f\\\u0022\ufffd\ufffd-\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a74309123895c0343ff68d50245baff025db765a\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd]\ufffd#Gs\ufffd\ufffd\u038f\\\u0022\ufffd\ufffd-\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd]\ufffd#Gs\ufffd\ufffd\u038f\\\u0022\ufffd\ufffd-\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd]\ufffd#Gs\ufffd\ufffd\u038f\\\u0022\ufffd\ufffd-\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd]\ufffd#Gs\ufffd\ufffd\u038f\\\u0022\ufffd\ufffd-\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd]\ufffd#Gs\ufffd\ufffd\u038f\\\u0022\ufffd\ufffd-\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd]\ufffd#Gs\ufffd\ufffd\u038f\\\u0022\ufffd\ufffd-\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12676475,"ip":"45.148.10.147","ts":"2026-07-17 17:17:57.000000","proto":"tcp","src_port":25462,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.846117848184795, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b23d8a93792dbb9b608661ad83097d5b\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\u0027\ufffd*\/AN\ufffdt\ufffdG\ufffd\u054b\u03088\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\u0027\ufffd*\/AN\ufffdt\ufffdG\ufffd\u054b\u03088\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\u0027\ufffd*\/AN\ufffdt\ufffdG\ufffd\u054b\u03088\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\u0027\ufffd*\/AN\ufffdt\ufffdG\ufffd\u054b\u03088\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\u0027\ufffd*\/AN\ufffdt\ufffdG\ufffd\u054b\u03088\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e102fa3feb30bedfa76a15bddf61a09a75ce1a4a\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\u0027\ufffd*\/AN\ufffdt\ufffdG\ufffd\u054b\u03088\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\u0027\ufffd*\/AN\ufffdt\ufffdG\ufffd\u054b\u03088\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\u0027\ufffd*\/AN\ufffdt\ufffdG\ufffd\u054b\u03088hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\u0027\ufffd*\/AN\ufffdt\ufffdG\ufffd\u054b\u03088\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\u0027\ufffd*\/AN\ufffdt\ufffdG\ufffd\u054b\u03088\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\u0027\ufffd*\/AN\ufffdt\ufffdG\ufffd\u054b\u03088hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12675175,"ip":"45.148.10.147","ts":"2026-07-17 17:02:25.000000","proto":"tcp","src_port":14400,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.8431475535062365, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ae9dadfe32bff412bd76bf3cdbd4bd10\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdMb\ufffd\ufffd\ufffd[(|\ufffd\ufffd\ufffd\ufffdp\ufffd.\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdMb\ufffd\ufffd\ufffd[(|\ufffd\ufffd\ufffd\ufffdp\ufffd.\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdMb\ufffd\ufffd\ufffd[(|\ufffd\ufffd\ufffd\ufffdp\ufffd.\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdMb\ufffd\ufffd\ufffd[(|\ufffd\ufffd\ufffd\ufffdp\ufffd.\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdMb\ufffd\ufffd\ufffd[(|\ufffd\ufffd\ufffd\ufffdp\ufffd.\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b01f0a80a9cfd7b9ec7cef083b0984f1f4ae4892\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdMb\ufffd\ufffd\ufffd[(|\ufffd\ufffd\ufffd\ufffdp\ufffd.\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdMb\ufffd\ufffd\ufffd[(|\ufffd\ufffd\ufffd\ufffdp\ufffd.\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffdMb\ufffd\ufffd\ufffd[(|\ufffd\ufffd\ufffd\ufffdp\ufffd.hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdMb\ufffd\ufffd\ufffd[(|\ufffd\ufffd\ufffd\ufffdp\ufffd.\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdMb\ufffd\ufffd\ufffd[(|\ufffd\ufffd\ufffd\ufffdp\ufffd.\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffdMb\ufffd\ufffd\ufffd[(|\ufffd\ufffd\ufffd\ufffdp\ufffd.hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12674849,"ip":"45.148.10.147","ts":"2026-07-17 16:57:20.000000","proto":"tcp","src_port":51834,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.853387167833752, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002226180eee22b216dbbb9881bccd8fd080\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffdW\ufffd\ufffd\ufffd\ufffd\ufffd\\f\\u000bG\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffdW\ufffd\ufffd\ufffd\ufffd\ufffd\\f\\u000bG\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffdW\ufffd\ufffd\ufffd\ufffd\ufffd\\f\\u000bG\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffdW\ufffd\ufffd\ufffd\ufffd\ufffd\\f\\u000bG\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffdW\ufffd\ufffd\ufffd\ufffd\ufffd\\f\\u000bG\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ab303a4402f1c2e3981ac346bee780c490241a23\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffdW\ufffd\ufffd\ufffd\ufffd\ufffd\\f\\u000bG\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffdW\ufffd\ufffd\ufffd\ufffd\ufffd\\f\\u000bG\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffdW\ufffd\ufffd\ufffd\ufffd\ufffdGhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffdW\ufffd\ufffd\ufffd\ufffd\ufffd\\f\\u000bG\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffdW\ufffd\ufffd\ufffd\ufffd\ufffd\\f\\u000bG\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffdW\ufffd\ufffd\ufffd\ufffd\ufffdGhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12672582,"ip":"45.148.10.147","ts":"2026-07-17 16:26:07.000000","proto":"tcp","src_port":16518,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.840963350877426, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d78c4bd3651b18cf32d0ca658f8cc1fe\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd@F.\ufffd\\u0010:\ufffd\ufffdQ?\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd@F.\ufffd\\u0010:\ufffd\ufffdQ?\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd@F.\ufffd\\u0010:\ufffd\ufffdQ?\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd@F.\ufffd\\u0010:\ufffd\ufffdQ?\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd@F.\ufffd\\u0010:\ufffd\ufffdQ?\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223396ff2ff45dcf4cdfb702fe8d69d302c79bafb3\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd@F.\ufffd\\u0010:\ufffd\ufffdQ?\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd@F.\ufffd\\u0010:\ufffd\ufffdQ?\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd@F.\ufffd:\ufffd\ufffdQ?\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd@F.\ufffd\\u0010:\ufffd\ufffdQ?\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd@F.\ufffd\\u0010:\ufffd\ufffdQ?\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd@F.\ufffd:\ufffd\ufffdQ?\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12658006,"ip":"45.148.10.147","ts":"2026-07-17 12:36:50.000000","proto":"tcp","src_port":44124,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.8460476686555545, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e2ff214239ec59c17f6f5d6fc728703a\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffdAWM\ufffd\\u001e|\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffdAWM\ufffd\\u001e|\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffdAWM\ufffd\\u001e|\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffdAWM\ufffd\\u001e|\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffdAWM\ufffd\\u001e|\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eb2f84c29c27d09e8b2299cb033775a7e237c3a7\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffdAWM\ufffd\\u001e|\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffdAWM\ufffd\\u001e|\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffdAWM\ufffd|\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffdAWM\ufffd\\u001e|\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffdAWM\ufffd\\u001e|\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffdAWM\ufffd|\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12655572,"ip":"45.148.10.147","ts":"2026-07-17 11:23:05.000000","proto":"tcp","src_port":9716,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.85936659908019, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b45bf1c4886f0548de2bbc604f248bab\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd^I};\ufffd\\tA\\t\ufffd\ufffd\\u0016_\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd^I};\ufffd\\tA\\t\ufffd\ufffd\\u0016_\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd^I};\ufffd\\tA\\t\ufffd\ufffd\\u0016_\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd^I};\ufffd\\tA\\t\ufffd\ufffd\\u0016_\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd^I};\ufffd\\tA\\t\ufffd\ufffd\\u0016_\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002230cf08aabf4bba5e0c135fcd426c7171faa89ba6\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd^I};\ufffd\\tA\\t\ufffd\ufffd\\u0016_\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd^I};\ufffd\\tA\\t\ufffd\ufffd\\u0016_\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd^I};\ufffd\\tA\\t\ufffd\ufffd_\ufffd\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd^I};\ufffd\\tA\\t\ufffd\ufffd\\u0016_\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd^I};\ufffd\\tA\\t\ufffd\ufffd\\u0016_\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd^I};\ufffd\\tA\\t\ufffd\ufffd_\ufffd\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12652645,"ip":"45.148.10.147","ts":"2026-07-17 10:20:21.000000","proto":"tcp","src_port":27906,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.851878881559422, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223f3c424ea0fd4480d6f4d5d93de6b0ac\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdD\ufffd$\ufffd\ufffd^\ufffdQ\ufffd\ufffd\ufffd\ufffdM\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdD\ufffd$\ufffd\ufffd^\ufffdQ\ufffd\ufffd\ufffd\ufffdM\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdD\ufffd$\ufffd\ufffd^\ufffdQ\ufffd\ufffd\ufffd\ufffdM\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdD\ufffd$\ufffd\ufffd^\ufffdQ\ufffd\ufffd\ufffd\ufffdM\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdD\ufffd$\ufffd\ufffd^\ufffdQ\ufffd\ufffd\ufffd\ufffdM\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226441caf5d32d99571fdd89e2b13a0d6e2eebbabd\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdD\ufffd$\ufffd\ufffd^\ufffdQ\ufffd\ufffd\ufffd\ufffdM\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdD\ufffd$\ufffd\ufffd^\ufffdQ\ufffd\ufffd\ufffd\ufffdM\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffdD\ufffd$\ufffd\ufffd^\ufffdQ\ufffd\ufffd\ufffd\ufffdMhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdD\ufffd$\ufffd\ufffd^\ufffdQ\ufffd\ufffd\ufffd\ufffdM\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdD\ufffd$\ufffd\ufffd^\ufffdQ\ufffd\ufffd\ufffd\ufffdM\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffdD\ufffd$\ufffd\ufffd^\ufffdQ\ufffd\ufffd\ufffd\ufffdMhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12649727,"ip":"45.148.10.147","ts":"2026-07-17 09:15:43.000000","proto":"tcp","src_port":7064,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.840704263906797, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221dc8d230f72a39630c3963d420b11496\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\u56da\ufffd\\u00071\ufffd\ufffd\ufffdy.\ufffd\ufffd\\t\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\u56da\ufffd\\u00071\ufffd\ufffd\ufffdy.\ufffd\ufffd\\t\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\u56da\ufffd\\u00071\ufffd\ufffd\ufffdy.\ufffd\ufffd\\t\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\u56da\ufffd\\u00071\ufffd\ufffd\ufffdy.\ufffd\ufffd\\t\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\u56da\ufffd\\u00071\ufffd\ufffd\ufffdy.\ufffd\ufffd\\t\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227e117f33a89e81c48e4697e0b659eabd8032452c\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\u56da\ufffd\\u00071\ufffd\ufffd\ufffdy.\ufffd\ufffd\\t\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\u56da\ufffd\\u00071\ufffd\ufffd\ufffdy.\ufffd\ufffd\\t\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\u56da\ufffd1\ufffd\ufffd\ufffdy.\ufffd\ufffd\\thcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\u56da\ufffd\\u00071\ufffd\ufffd\ufffdy.\ufffd\ufffd\\t\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\u56da\ufffd\\u00071\ufffd\ufffd\ufffdy.\ufffd\ufffd\\t\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\u56da\ufffd1\ufffd\ufffd\ufffdy.\ufffd\ufffd\\thcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12649513,"ip":"45.148.10.147","ts":"2026-07-17 09:10:29.000000","proto":"tcp","src_port":57280,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.857961117702819, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d59ebe5609e83f8cbb51d6f53052b408\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd_\ufffd7)ID7\u0133G+z\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd_\ufffd7)ID7\u0133G+z\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd_\ufffd7)ID7\u0133G+z\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd_\ufffd7)ID7\u0133G+z\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd_\ufffd7)ID7\u0133G+z\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d48252ed82c001b63702e8d689fe0f12dd61663e\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd_\ufffd7)ID7\u0133G+z\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd_\ufffd7)ID7\u0133G+z\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd_\ufffd7)ID7\u0133G+z\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd_\ufffd7)ID7\u0133G+z\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd_\ufffd7)ID7\u0133G+z\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd_\ufffd7)ID7\u0133G+z\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12649081,"ip":"45.148.10.147","ts":"2026-07-17 08:59:59.000000","proto":"tcp","src_port":12726,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.844893641116356, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002204b4cbd1bc4d64d096f30700f9ab2968\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\t6\ufffd\\u0015\ufffdd.\ufffd\ufffd\ufffdGLb\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\t6\ufffd\\u0015\ufffdd.\ufffd\ufffd\ufffdGLb\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\t6\ufffd\\u0015\ufffdd.\ufffd\ufffd\ufffdGLb\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\t6\ufffd\\u0015\ufffdd.\ufffd\ufffd\ufffdGLb\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\t6\ufffd\\u0015\ufffdd.\ufffd\ufffd\ufffdGLb\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002209890930740413e041188af8af81e1d788c0928d\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\t6\ufffd\\u0015\ufffdd.\ufffd\ufffd\ufffdGLb\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\t6\ufffd\\u0015\ufffdd.\ufffd\ufffd\ufffdGLb\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\\t6\ufffd\ufffdd.\ufffd\ufffd\ufffdGLb\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\t6\ufffd\\u0015\ufffdd.\ufffd\ufffd\ufffdGLb\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\\t6\ufffd\\u0015\ufffdd.\ufffd\ufffd\ufffdGLb\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\\t6\ufffd\ufffdd.\ufffd\ufffd\ufffdGLb\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12648294,"ip":"45.148.10.147","ts":"2026-07-17 08:39:08.000000","proto":"tcp","src_port":47392,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.846849944694581, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c1e649ab7162a88b4782d165df1ec6f1\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd,\\u0012`\ufffd_z\ufffd{BrFl$\u074c\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd,\\u0012`\ufffd_z\ufffd{BrFl$\u074c\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd,\\u0012`\ufffd_z\ufffd{BrFl$\u074c\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd,\\u0012`\ufffd_z\ufffd{BrFl$\u074c\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd,\\u0012`\ufffd_z\ufffd{BrFl$\u074c\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022debf5b6aff65b2c0dee05b4d63c48026ab886ce8\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd,\\u0012`\ufffd_z\ufffd{BrFl$\u074c\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd,\\u0012`\ufffd_z\ufffd{BrFl$\u074c\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd,`\ufffd_z\ufffd{BrFl$\u074chcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd,\\u0012`\ufffd_z\ufffd{BrFl$\u074c\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd,\\u0012`\ufffd_z\ufffd{BrFl$\u074c\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd,`\ufffd_z\ufffd{BrFl$\u074chcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12648111,"ip":"45.148.10.147","ts":"2026-07-17 08:33:54.000000","proto":"tcp","src_port":47300,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.842061960195926, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223e6561597e285b261125fd6b883c2144\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014f\ufffdk:\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\\u001d\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014f\ufffdk:\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\\u001d\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014f\ufffdk:\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\\u001d\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014f\ufffdk:\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\\u001d\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014f\ufffdk:\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\\u001d\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022580f58d438cb8aee6f96ef1d9fb0073bb61ed5ec\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014f\ufffdk:\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\\u001d\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014f\ufffdk:\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\\u001d\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|f\ufffdk:\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014f\ufffdk:\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\\u001d\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014f\ufffdk:\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\\u001d\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|f\ufffdk:\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12647692,"ip":"45.148.10.147","ts":"2026-07-17 08:23:33.000000","proto":"tcp","src_port":18454,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.857430627539667, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bbabaf9b4b7a6a03de11a05adcd54794\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\f\u073e\ufffd\u07da\\u0005\ufffd\ufffd\\u0016\ufffdB\ufffd\ufffd\/+\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\f\u073e\ufffd\u07da\\u0005\ufffd\ufffd\\u0016\ufffdB\ufffd\ufffd\/+\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\f\u073e\ufffd\u07da\\u0005\ufffd\ufffd\\u0016\ufffdB\ufffd\ufffd\/+\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\f\u073e\ufffd\u07da\\u0005\ufffd\ufffd\\u0016\ufffdB\ufffd\ufffd\/+\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\f\u073e\ufffd\u07da\\u0005\ufffd\ufffd\\u0016\ufffdB\ufffd\ufffd\/+\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002283fd57b9152fa2ef76c57de4eec77fa845efa868\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\f\u073e\ufffd\u07da\\u0005\ufffd\ufffd\\u0016\ufffdB\ufffd\ufffd\/+\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\f\u073e\ufffd\u07da\\u0005\ufffd\ufffd\\u0016\ufffdB\ufffd\ufffd\/+\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\u073e\ufffd\u07da\ufffd\ufffd\ufffdB\ufffd\ufffd\/+hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\f\u073e\ufffd\u07da\\u0005\ufffd\ufffd\\u0016\ufffdB\ufffd\ufffd\/+\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\f\u073e\ufffd\u07da\\u0005\ufffd\ufffd\\u0016\ufffdB\ufffd\ufffd\/+\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\u073e\ufffd\u07da\ufffd\ufffd\ufffdB\ufffd\ufffd\/+hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12645456,"ip":"45.148.10.147","ts":"2026-07-17 07:31:21.000000","proto":"tcp","src_port":47846,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.849920345766027, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224ef06654d2f1b0392cf5ad4398ef951c\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u0005}\ufffd\\u001c\\u001e\ufffd\\b@\ufffd\ufffdR\ufffd\ufffd\\u001a\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u0005}\ufffd\\u001c\\u001e\ufffd\\b@\ufffd\ufffdR\ufffd\ufffd\\u001a\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u0005}\ufffd\\u001c\\u001e\ufffd\\b@\ufffd\ufffdR\ufffd\ufffd\\u001a\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u0005}\ufffd\\u001c\\u001e\ufffd\\b@\ufffd\ufffdR\ufffd\ufffd\\u001a\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u0005}\ufffd\\u001c\\u001e\ufffd\\b@\ufffd\ufffdR\ufffd\ufffd\\u001a\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227f782fd64824f15023a1c3581b65051ba2f1de2a\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u0005}\ufffd\\u001c\\u001e\ufffd\\b@\ufffd\ufffdR\ufffd\ufffd\\u001a\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u0005}\ufffd\\u001c\\u001e\ufffd\\b@\ufffd\ufffdR\ufffd\ufffd\\u001a\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|}\ufffd\ufffd@\ufffd\ufffdR\ufffd\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u0005}\ufffd\\u001c\\u001e\ufffd\\b@\ufffd\ufffdR\ufffd\ufffd\\u001a\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u0005}\ufffd\\u001c\\u001e\ufffd\\b@\ufffd\ufffdR\ufffd\ufffd\\u001a\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|}\ufffd\ufffd@\ufffd\ufffdR\ufffd\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12645180,"ip":"45.148.10.147","ts":"2026-07-17 07:26:06.000000","proto":"tcp","src_port":46132,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.838862334423204, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221eebf0b0d4fd15fb0ae4ff76731deb51\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd1\ufffd1_\ufffd\ufffd\\u0006Y\ufffd\\u001e\ufffd\\u0015d\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd1\ufffd1_\ufffd\ufffd\\u0006Y\ufffd\\u001e\ufffd\\u0015d\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd1\ufffd1_\ufffd\ufffd\\u0006Y\ufffd\\u001e\ufffd\\u0015d\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd1\ufffd1_\ufffd\ufffd\\u0006Y\ufffd\\u001e\ufffd\\u0015d\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd1\ufffd1_\ufffd\ufffd\\u0006Y\ufffd\\u001e\ufffd\\u0015d\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220bb6082c0e6edcb7059940ebb064bcfb74802ff6\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd1\ufffd1_\ufffd\ufffd\\u0006Y\ufffd\\u001e\ufffd\\u0015d\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd1\ufffd1_\ufffd\ufffd\\u0006Y\ufffd\\u001e\ufffd\\u0015d\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd\ufffd1\ufffd1_\ufffd\ufffdY\ufffd\ufffddhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd1\ufffd1_\ufffd\ufffd\\u0006Y\ufffd\\u001e\ufffd\\u0015d\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd\ufffd1\ufffd1_\ufffd\ufffd\\u0006Y\ufffd\\u001e\ufffd\\u0015d\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd\ufffd1\ufffd1_\ufffd\ufffdY\ufffd\ufffddhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12644588,"ip":"45.148.10.147","ts":"2026-07-17 07:15:28.000000","proto":"tcp","src_port":59356,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.85149365217101, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002285d6d2643d4c79a9ae43b998935774a0\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u000f\ufffd\ufffd\ufffds\ufffd\u05e8\ufffd\ufffd\\nM\ufffd\u0631\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u000f\ufffd\ufffd\ufffds\ufffd\u05e8\ufffd\ufffd\\nM\ufffd\u0631\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u000f\ufffd\ufffd\ufffds\ufffd\u05e8\ufffd\ufffd\\nM\ufffd\u0631\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u000f\ufffd\ufffd\ufffds\ufffd\u05e8\ufffd\ufffd\\nM\ufffd\u0631\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u000f\ufffd\ufffd\ufffds\ufffd\u05e8\ufffd\ufffd\\nM\ufffd\u0631\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227dd3efdc9f51b6d044124e7fb6429de6787dee38\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u000f\ufffd\ufffd\ufffds\ufffd\u05e8\ufffd\ufffd\\nM\ufffd\u0631\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u000f\ufffd\ufffd\ufffds\ufffd\u05e8\ufffd\ufffd\\nM\ufffd\u0631\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd\ufffds\ufffd\u05e8\ufffd\ufffd\\nM\ufffd\u0631hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u000f\ufffd\ufffd\ufffds\ufffd\u05e8\ufffd\ufffd\\nM\ufffd\u0631\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\\u000f\ufffd\ufffd\ufffds\ufffd\u05e8\ufffd\ufffd\\nM\ufffd\u0631\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd\ufffds\ufffd\u05e8\ufffd\ufffd\\nM\ufffd\u0631hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12609943,"ip":"45.148.10.147","ts":"2026-07-17 00:56:58.000000","proto":"tcp","src_port":44810,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.8476396891318645, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d8385e752d5b8d6a01597911b9a9180d\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014=\\u000e\ufffd\ufffd4H\ufffd\ufffdg\ufffdf\\u0013\ufffd$\u04db\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014=\\u000e\ufffd\ufffd4H\ufffd\ufffdg\ufffdf\\u0013\ufffd$\u04db\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014=\\u000e\ufffd\ufffd4H\ufffd\ufffdg\ufffdf\\u0013\ufffd$\u04db\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014=\\u000e\ufffd\ufffd4H\ufffd\ufffdg\ufffdf\\u0013\ufffd$\u04db\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014=\\u000e\ufffd\ufffd4H\ufffd\ufffdg\ufffdf\\u0013\ufffd$\u04db\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022560fdaffe9d9f0ec6f2b5abfe5e6b2e9cbf6a78d\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014=\\u000e\ufffd\ufffd4H\ufffd\ufffdg\ufffdf\\u0013\ufffd$\u04db\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014=\\u000e\ufffd\ufffd4H\ufffd\ufffdg\ufffdf\\u0013\ufffd$\u04db\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|=\ufffd\ufffd4H\ufffd\ufffdg\ufffdf\ufffd$\u04dbhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014=\\u000e\ufffd\ufffd4H\ufffd\ufffdg\ufffdf\\u0013\ufffd$\u04db\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014=\\u000e\ufffd\ufffd4H\ufffd\ufffdg\ufffdf\\u0013\ufffd$\u04db\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|=\ufffd\ufffd4H\ufffd\ufffdg\ufffdf\ufffd$\u04dbhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12609589,"ip":"45.148.10.147","ts":"2026-07-17 00:46:39.000000","proto":"tcp","src_port":51484,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.827193078766945, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227b72e23b8be1871b156c353d7257504e\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014Rx\\u00013V\ufffd\ufffdtf\ufffdH\ufffd\\u001bmki\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014Rx\\u00013V\ufffd\ufffdtf\ufffdH\ufffd\\u001bmki\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014Rx\\u00013V\ufffd\ufffdtf\ufffdH\ufffd\\u001bmki\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014Rx\\u00013V\ufffd\ufffdtf\ufffdH\ufffd\\u001bmki\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014Rx\\u00013V\ufffd\ufffdtf\ufffdH\ufffd\\u001bmki\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221ee9e5c51e15a9a2dfc7a32dd6014a544f52a4a4\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014Rx\\u00013V\ufffd\ufffdtf\ufffdH\ufffd\\u001bmki\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014Rx\\u00013V\ufffd\ufffdtf\ufffdH\ufffd\\u001bmki\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|Rx3V\ufffd\ufffdtf\ufffdH\ufffdmkihcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014Rx\\u00013V\ufffd\ufffdtf\ufffdH\ufffd\\u001bmki\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014Rx\\u00013V\ufffd\ufffdtf\ufffdH\ufffd\\u001bmki\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|Rx3V\ufffd\ufffdtf\ufffdH\ufffdmkihcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12607489,"ip":"45.148.10.147","ts":"2026-07-16 23:44:22.000000","proto":"tcp","src_port":10294,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.838483795972607, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223d106ea9b6937d153a9187e3ed795f1c\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014+\ufffd\ufffd\ufffd\\u00191X\u0307\ufffd\\u0014\\u0001\ufffd\ufffd\u003Cy\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014+\ufffd\ufffd\ufffd\\u00191X\u0307\ufffd\\u0014\\u0001\ufffd\ufffd\u003Cy\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014+\ufffd\ufffd\ufffd\\u00191X\u0307\ufffd\\u0014\\u0001\ufffd\ufffd\u003Cy\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014+\ufffd\ufffd\ufffd\\u00191X\u0307\ufffd\\u0014\\u0001\ufffd\ufffd\u003Cy\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014+\ufffd\ufffd\ufffd\\u00191X\u0307\ufffd\\u0014\\u0001\ufffd\ufffd\u003Cy\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222d8a15489e9b855c0b7e93219fe7df55bb3795b6\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014+\ufffd\ufffd\ufffd\\u00191X\u0307\ufffd\\u0014\\u0001\ufffd\ufffd\u003Cy\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014+\ufffd\ufffd\ufffd\\u00191X\u0307\ufffd\\u0014\\u0001\ufffd\ufffd\u003Cy\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|+\ufffd\ufffd\ufffd1X\u0307\ufffd\ufffd\ufffd\u003Cyhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014+\ufffd\ufffd\ufffd\\u00191X\u0307\ufffd\\u0014\\u0001\ufffd\ufffd\u003Cy\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014+\ufffd\ufffd\ufffd\\u00191X\u0307\ufffd\\u0014\\u0001\ufffd\ufffd\u003Cy\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|+\ufffd\ufffd\ufffd1X\u0307\ufffd\ufffd\ufffd\u003Cyhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12605824,"ip":"45.148.10.147","ts":"2026-07-16 22:52:30.000000","proto":"tcp","src_port":63798,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.8396286436911184, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e7e640c4e66eb6b189311b8cdf035b1b\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014d\ufffdh\ufffdy#(d!8K\ufffd\ufffd\ufffdM\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014d\ufffdh\ufffdy#(d!8K\ufffd\ufffd\ufffdM\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014d\ufffdh\ufffdy#(d!8K\ufffd\ufffd\ufffdM\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014d\ufffdh\ufffdy#(d!8K\ufffd\ufffd\ufffdM\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014d\ufffdh\ufffdy#(d!8K\ufffd\ufffd\ufffdM\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222fd53407601fc3a17414910b98681f4432a61c1c\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014d\ufffdh\ufffdy#(d!8K\ufffd\ufffd\ufffdM\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014d\ufffdh\ufffdy#(d!8K\ufffd\ufffd\ufffdM\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|d\ufffdh\ufffdy#(d!8K\ufffd\ufffd\ufffdM\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014d\ufffdh\ufffdy#(d!8K\ufffd\ufffd\ufffdM\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014d\ufffdh\ufffdy#(d!8K\ufffd\ufffd\ufffdM\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|d\ufffdh\ufffdy#(d!8K\ufffd\ufffd\ufffdM\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12530457,"ip":"45.148.10.147","ts":"2026-07-16 15:59:17.000000","proto":"tcp","src_port":9300,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.832589815032994, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220be24d4bfa16c950800353aa0cf8e1f3\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd2\ufffd\ufffd\ufffdr5\ufffd\/\ufffd.\ufffdv.\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd2\ufffd\ufffd\ufffdr5\ufffd\/\ufffd.\ufffdv.\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd2\ufffd\ufffd\ufffdr5\ufffd\/\ufffd.\ufffdv.\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd2\ufffd\ufffd\ufffdr5\ufffd\/\ufffd.\ufffdv.\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd2\ufffd\ufffd\ufffdr5\ufffd\/\ufffd.\ufffdv.\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ed00eee4b4c60d754089885304662a6c500f2e79\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd2\ufffd\ufffd\ufffdr5\ufffd\/\ufffd.\ufffdv.\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd2\ufffd\ufffd\ufffdr5\ufffd\/\ufffd.\ufffdv.\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd2\ufffd\ufffd\ufffdr5\ufffd\/\ufffd.\ufffdv.\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd2\ufffd\ufffd\ufffdr5\ufffd\/\ufffd.\ufffdv.\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd\ufffd2\ufffd\ufffd\ufffdr5\ufffd\/\ufffd.\ufffdv.\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd\ufffd2\ufffd\ufffd\ufffdr5\ufffd\/\ufffd.\ufffdv.\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12529097,"ip":"45.148.10.147","ts":"2026-07-16 15:17:29.000000","proto":"tcp","src_port":47082,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.8496705556303, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224f24635e88b2fe44409ff48ab37f601b\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd1\\t\\n\ufffd\u0314IR\\n\ufffd\u0753\\u0014\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd1\\t\\n\ufffd\u0314IR\\n\ufffd\u0753\\u0014\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd1\\t\\n\ufffd\u0314IR\\n\ufffd\u0753\\u0014\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd1\\t\\n\ufffd\u0314IR\\n\ufffd\u0753\\u0014\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd1\\t\\n\ufffd\u0314IR\\n\ufffd\u0753\\u0014\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022af4b2f7090c18334b098076b251cd68ce2c89988\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd1\\t\\n\ufffd\u0314IR\\n\ufffd\u0753\\u0014\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd1\\t\\n\ufffd\u0314IR\\n\ufffd\u0753\\u0014\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd1\\t\\n\ufffd\u0314IR\\n\ufffd\u0753hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd1\\t\\n\ufffd\u0314IR\\n\ufffd\u0753\\u0014\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffd1\\t\\n\ufffd\u0314IR\\n\ufffd\u0753\\u0014\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffd1\\t\\n\ufffd\u0314IR\\n\ufffd\u0753hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423},{"id":12516060,"ip":"45.148.10.147","ts":"2026-07-16 13:32:00.000000","proto":"tcp","src_port":20126,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1423, \u0022payload_entropy\u0022: 4.841125569518924, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 48090, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PuTTY SSH client\u0022, \u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 48090, \u0022org\u0022: \u0022Techoff Srv Limited\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220c3d76be2f22dcf72794943cc60de97f\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdmpt\ufffd\ufffd\ufffd JX\ufffd\ufffd`\\u001c\\r\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdmpt\ufffd\ufffd\ufffd JX\ufffd\ufffd`\\u001c\\r\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdmpt\ufffd\ufffd\ufffd JX\ufffd\ufffd`\\u001c\\r\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdmpt\ufffd\ufffd\ufffd JX\ufffd\ufffd`\\u001c\\r\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdmpt\ufffd\ufffd\ufffd JX\ufffd\ufffd`\\u001c\\r\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022af6f0916af783eb22a310308de695bc39d2d96bd\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdmpt\ufffd\ufffd\ufffd JX\ufffd\ufffd`\\u001c\\r\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdmpt\ufffd\ufffd\ufffd JX\ufffd\ufffd`\\u001c\\r\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffdmpt\ufffd\ufffd\ufffd JX\ufffd\ufffd`\\r\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0389\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdmpt\ufffd\ufffd\ufffd JX\ufffd\ufffd`\\u001c\\r\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-PUTTY\\r\\n\\u0000\\u0000\\u0005|\\u0005\\u0014\ufffdmpt\ufffd\ufffd\ufffd JX\ufffd\ufffd`\\u001c\\r\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-PUTTY\\r\\n|\ufffdmpt\ufffd\ufffd\ufffd JX\ufffd\ufffd`\\r\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1423}],"total_events":115}