|
|
TCP |
4443 · HTTP
|
http
|
Sonde HTTP
Sonde HTTP · via HTTP:4443 · (sonde / probe) · → /favicon.ico
|
Élevée
|
Moyen · 40
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
GET /favicon.ico UA Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0…
Émulateur
HTTP
WAF
6
Recommandation
Surveiller
Tags
950470:nosqli-3
net_web_probe
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
4443
Chemin / cible
/favicon.ico
Pourquoi cette classification : Sonde HTTP (tag nosqli-3) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 40
Confiance : Confiance 50 % — Motif catalogue confirmé · 1 tag(s) WAF
Protocole émulé
1
Signaux
Requête favicon.ico
Single Port
Chemin bénin connu
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET /favicon.ico HTTP/1.1
User-Agent
Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.36
Règles WAF
nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:4443
User-Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.63
Requête brute (extrait)
GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:4443 User-Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20696d6167652f782d69636f6e0d0a436f6e74656e742d4c656e6774683a2032320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a0000010001001010000001002000680400001600",
"emulator_response_len": 130,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "c7e3312ad89b5c953c233d6bb536f12495aec80f",
"http_host_hash": "e950df8a5a68e4dcc53c2ea4813456e73c1d6fc9",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 187,
"payload_entropy": 5.332390130456047,
"port_category": "registered",
"org": "Sistemas Informaticos, S.A.",
"service": "http",
"app_proto": "http",
"asn": 211680,
"country": "PT",
"dst_port": 4443,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15
},
"risk_score": 40,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "10d1cb458adca2d8f416e099f77f98b222198c6a",
"event_fingerprint": "d8572fadfc8aeca0f7507216592ad19d38173803",
"classification_reason": "Sonde HTTP (tag nosqli-3) \u00b7 confiance 50%",
"confidence": 0.5,
"classification_confidence": 0.5,
"precision_score": 94,
"precision_signals": [
"INT-benign-favicon",
"INT-single-port",
"INT-benign-path-cap"
],
"kb_rule_ids": [
"INT-benign-favicon",
"INT-single-port",
"INT-benign-path-cap"
],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15,
"risk_score": 40
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "PT",
"asn": 211680,
"org": "Sistemas Informaticos, S.A.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "4dcb5466a1cf9e92d38fdee8553b0c1e",
"payload_hash": "8ccdd2734cc716006c033601cfd75bcf",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 4443,
"service": "http",
"service_name": "http",
"risk_score": 40
},
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4443\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.63",
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36",
"waf_tags": [
"950470:nosqli-3"
],
"waf_rule_names": [
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4443\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4443\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.63",
"evidence": {
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36",
"waf_tags": [
"950470:nosqli-3"
],
"waf_rule_names": [
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4443\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4443\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.63",
"classification_reason": "Sonde HTTP (tag nosqli-3) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "aadecb4262db9e0c1b6766931ce8636f234a2f76",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36",
"port": 4443,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4443\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.63",
"attack_vector": "Sonde HTTP \u00b7 via HTTP:4443 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico",
"target_port_label": "4443 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 1 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde HTTP (tag nosqli-3) \u00b7 confiance 50%",
"classification_reason_label_fr": "Sonde HTTP (tag nosqli-3) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15,
"risk_score": 40
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 40,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 4443,
"protocol_emulated": true,
"tags_summary": [
"INT-benign-favicon",
"INT-single-port",
"INT-benign-path-cap"
],
"tags_summary_labels_fr": [
"Requ\u00eate favicon.ico",
"Single Port",
"Chemin b\u00e9nin connu"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36",
"port": 4443,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "Sonde HTTP \u00b7 via HTTP:4443 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico",
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4443\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.63",
"target_port_label": "4443 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 1 tag(s) WAF",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 32 \u00b7 1 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "4443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950470:nosqli-3",
"net_web_probe"
]
}
|
|
|
TCP |
135 · MSRPC
|
msrpc
|
Sonde PostgreSQL
postgres probe · via MSRPC:135 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 02f32644e1b0655c
Émulateur
MSRPC
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
135
Chemin / cible
—
Service
MSRPC
Payload
�������������' y�E��J�)�q�4���y>�/��u��(-����B������� ��� ���/�5��� �$�#� � ���(�'�������=�<�5�/� ���������+�/�����.���������� �
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
59%
Corrélation +10
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������'
y�E��J�)�q�4���y>�/��u��(-����B������� ���
���/�5���
�$�#�
� ���(�'�������=�<�5�/�
���������+�/�����.�����
Requête brute (extrait)
�������������' y�E��J�)�q�4���y>�/��u��(-����B������� ��� ���/�5��� �$�#� � ���(�'�������=�<�5�/� ���������+�/�����.���������� ����������� ����� � ��������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206d7372706320726561647920706f72743d3133350d0a",
"emulator_response_len": 35,
"bytes_in": 162,
"payload_entropy": 4.802580602178572,
"port_category": "well_known",
"org": "Sistemas Informaticos, S.A.",
"service": "msrpc",
"app_proto": "msrpc",
"asn": 211680,
"country": "PT",
"dst_port": 135,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "5e10a7fce38f4d366ad21a1c0601687d4b8aa778",
"event_fingerprint": "ee04cb302187f8727d545b1eea4782a6fc19fb64",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 10
},
"named_classification_skipped": false,
"service_name": "msrpc",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "PT",
"asn": 211680,
"org": "Sistemas Informaticos, S.A.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "447e7970c51afefb4af253ee4ca75526",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "02f32644e1b0655c19aaa3a2d6778b1e",
"ja4": "a3533e7527e047470b74402d4bc8a6dd",
"tls_version": "0x0303",
"tls_cipher_count": 33,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "02f32644e1b0655c19aaa3a2d6778b1e",
"tls_ja3": "771,49169-49159-49171-49161-49172-49162-5-47-53-49170-10-49188-49187-49162-49161-49160-49192-49191-49172-49171-49170-61-60-53-47-10-49159-49169-5-4-49195-49199-156,5-10-11-13-65281,23-24-25,0",
"tls_ja4_hash": "a3533e7527e047470b74402d4bc8a6dd",
"tls_ja4": "t13d0133_ad3470b4f447_40d2e578a3e2",
"tls_version": "0x0303",
"tls_cipher_count": 33,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 135,
"service": "msrpc",
"service_name": "msrpc",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd'\ry\ufffdE\ufffd\ufffdJ\ufffd)\ufffdq\ufffd4\ufffd\ufffd\ufffdy>\ufffd\/\u001d\ufffdu\ufffd\u0012(-\ufffd\ufffd\u0000\u0000B\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\n\ufffd\t\ufffd\b\ufffd(\ufffd'\ufffd\u0014\ufffd\u0013\ufffd\u0012\u0000=\u0000<\u00005\u0000\/\u0000\n\ufffd\u0007\ufffd\u0011\u0000\u0005\u0000\u0004\ufffd+\ufffd\/\u0000\ufffd\u0001\u0000\u0000.\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd'\ry\ufffdE\ufffd\ufffdJ\ufffd)\ufffdq\ufffd4\ufffd\ufffd\ufffdy>\ufffd\/\u001d\ufffdu\ufffd\u0012(-\ufffd\ufffd\u0000\u0000B\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\n\ufffd\t\ufffd\b\ufffd(\ufffd'\ufffd\u0014\ufffd\u0013\ufffd\u0012\u0000=\u0000<\u00005\u0000\/\u0000\n\ufffd\u0007\ufffd\u0011\u0000\u0005\u0000\u0004\ufffd+\ufffd\/\u0000\ufffd\u0001\u0000\u0000.\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\n\u0000\b\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd'\ry\ufffdE\ufffd\ufffdJ\ufffd)\ufffdq\ufffd4\ufffd\ufffd\ufffdy>\ufffd\/\u001d\ufffdu\ufffd\u0012(-\ufffd\ufffd\u0000\u0000B\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\n\ufffd\t\ufffd\b\ufffd(\ufffd'\ufffd\u0014\ufffd\u0013\ufffd\u0012\u0000=\u0000<\u00005\u0000\/\u0000\n\ufffd\u0007\ufffd\u0011\u0000\u0005\u0000\u0004\ufffd+\ufffd\/\u0000\ufffd\u0001\u0000\u0000.\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "72f6bdc995e2903bdc8cd8104262c8e794ba1b61",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd'\ry\ufffdE\ufffd\ufffdJ\ufffd)\ufffdq\ufffd4\ufffd\ufffd\ufffdy>\ufffd\/\u001d\ufffdu\ufffd\u0012(-\ufffd\ufffd\u0000\u0000B\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\n\ufffd\t\ufffd\b\ufffd(\ufffd'\ufffd\u0014\ufffd\u0013\ufffd\u0012\u0000=\u0000<\u00005\u0000\/\u0000\n\ufffd\u0007\ufffd\u0011\u0000\u0005\u0000\u0004\ufffd+\ufffd\/\u0000\ufffd\u0001\u0000\u0000.\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000",
"tls_ja3": "02f32644e1b0655c19aaa3a2d6778b1e",
"tls_ja4": "a3533e7527e047470b74402d4bc8a6dd",
"port": 135,
"service": "msrpc",
"service_label_fr": "MSRPC"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd'\ry\ufffdE\ufffd\ufffdJ\ufffd)\ufffdq\ufffd4\ufffd\ufffd\ufffdy>\ufffd\/\ufffdu\ufffd(-\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n\ufffd$\ufffd#\ufffd\n\ufffd\t\ufffd\ufffd(\ufffd'\ufffd\ufffd\ufffd=<5\/\n\ufffd\ufffd\ufffd+\ufffd\/\ufffd.",
"attack_vector": "postgres probe \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)",
"target_port_label": "135 \u00b7 MSRPC",
"emulator_service": "msrpc",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 59,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 10
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "msrpc",
"service_label_fr": "MSRPC",
"dst_port": 135,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-msrpc",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd'\ry\ufffdE\ufffd\ufffdJ\ufffd)\ufffdq\ufffd4\ufffd\ufffd\ufffdy>\ufffd\/\u001d\ufffdu\ufffd\u0012(-\ufffd\ufffd\u0000\u0000B\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\n\ufffd\t\ufffd\b\ufffd(\ufffd'\ufffd\u0014\ufffd\u0013\ufffd\u0012\u0000=\u0000<\u00005\u0000\/\u0000\n\ufffd\u0007\ufffd\u0011\u0000\u0005\u0000\u0004\ufffd+\ufffd\/\u0000\ufffd\u0001\u0000\u0000.\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000",
"tls_ja3": "02f32644e1b0655c19aaa3a2d6778b1e",
"tls_ja4": "a3533e7527e047470b74402d4bc8a6dd",
"port": 135,
"service": "msrpc",
"service_label_fr": "MSRPC"
},
"attack_vector": "postgres probe \u00b7 via MSRPC:135 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd'\ry\ufffdE\ufffd\ufffdJ\ufffd)\ufffdq\ufffd4\ufffd\ufffd\ufffdy>\ufffd\/\ufffdu\ufffd(-\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n\ufffd$\ufffd#\ufffd\n\ufffd\t\ufffd\ufffd(\ufffd'\ufffd\ufffd\ufffd=<5\/\n\ufffd\ufffd\ufffd+\ufffd\/\ufffd.",
"target_port_label": "135 \u00b7 MSRPC",
"emulator_service": "msrpc",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.156.129.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "msrpc",
"service_banner": "honeypot-msrpc",
"service_os": "linux",
"dst_port": "135"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "45.156.129.0\/24",
"coordinated_ip_count": 3,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
]
}
|
|
|
TCP |
515 · LPD
|
lpd
|
Sonde SSH
Sonde SSH · via LPD:515 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
LPD
WAF
—
Recommandation
Surveiller
Tags
net_ssh_probe
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
515
Chemin / cible
—
Service
LPD
Payload
SSH-2.0-Go
Pourquoi cette classification : Bannière client SSH reçue · confiance 95%
Confiance classification
100%
Corrélation +10
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-Go
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206c706420726561647920706f72743d3531350d0a",
"emulator_response_len": 33,
"bytes_in": 12,
"payload_entropy": 3.2516291673878226,
"port_category": "well_known",
"org": "Sistemas Informaticos, S.A.",
"service": "lpd",
"app_proto": "lpd",
"asn": 211680,
"country": "PT",
"dst_port": 515,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.7,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 48,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "90290d7d633cefa5efc26a989cc57c445622dbfd",
"event_fingerprint": "74528c3d58bd2c1e31b6a633092ac93fd227b52d",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 83,
"precision_signals": [
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253"
],
"pattern_ids": [
"pat-0391"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 48,
"correlation_boost": 10
},
"named_classification_skipped": false,
"service_name": "lpd",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "PT",
"asn": 211680,
"org": "Sistemas Informaticos, S.A.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "e9e55307b9c6c1bf5bae2abdb628281d",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 515,
"service": "lpd",
"service_name": "lpd",
"risk_score": 48
},
"payload_preview": "SSH-2.0-Go\r\n",
"request_sample": "SSH-2.0-Go\r\n",
"payload_snippet": "SSH-2.0-Go",
"evidence": {
"request_sample": "SSH-2.0-Go\r\n",
"payload_snippet": "SSH-2.0-Go",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ecf3c34e2b65763d19ab7859fdb8ddcf6d735332",
"protocol_details": {
"payload_preview": "SSH-2.0-Go",
"port": 515,
"service": "lpd",
"service_label_fr": "LPD"
},
"evidence_snippet": "SSH-2.0-Go",
"attack_vector": "Sonde SSH \u00b7 via LPD:515 \u00b7 (sonde \/ probe)",
"target_port_label": "515 \u00b7 LPD",
"emulator_service": "lpd",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 48,
"correlation_boost": 10
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "lpd",
"service_label_fr": "LPD",
"dst_port": 515,
"protocol_emulated": true,
"tags_summary": [
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"pat-0391",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-lpd",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"payload_preview": "SSH-2.0-Go",
"port": 515,
"service": "lpd",
"service_label_fr": "LPD"
},
"attack_vector": "Sonde SSH \u00b7 via LPD:515 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-Go",
"target_port_label": "515 \u00b7 LPD",
"emulator_service": "lpd",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.156.129.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "lpd",
"service_banner": "honeypot-lpd",
"service_os": "linux",
"dst_port": "515"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "45.156.129.0\/24",
"coordinated_ip_count": 4,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_ssh_probe",
"ssh_banner"
]
}
|
|
|
TCP |
515 · LPD
|
lpd
|
Sonde PostgreSQL
postgres probe · via LPD:515 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
LPD
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
515
Chemin / cible
—
Service
LPD
Payload
�����������ֳ���Y�䓔��q�mD�����2��M�bB� � *6�30��ﳓ�=o�������Xv��h�Uz<q�&̨̩�/�0�+�,��� ��� �����/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
59%
Corrélation +10
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������ֳ���Y�䓔��q�mD�����2��M�bB� � *6�30��ﳓ�=o�������Xv��h�Uz<q�&̨̩�/�0�+�,��� ���
�����/�5���
���������w�����
Requête brute (extrait)
�����������ֳ���Y�䓔��q�mD�����2��M�bB� � *6�30��ﳓ�=o�������Xv��h�Uz<q�&̨̩�/�0�+�,��� ��� �����/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �E+��,�fAQpL�ӥc�L�������F��!jG
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206c706420726561647920706f72743d3531350d0a",
"emulator_response_len": 33,
"bytes_in": 239,
"payload_entropy": 5.866844600681723,
"port_category": "well_known",
"org": "Sistemas Informaticos, S.A.",
"service": "lpd",
"app_proto": "lpd",
"asn": 211680,
"country": "PT",
"dst_port": 515,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "1ea374ae7c58fbf8227cbc13693ca424aab98d24",
"event_fingerprint": "a19fd83a9856f1c122b80b6c10e618dae1ce3474",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 10
},
"named_classification_skipped": false,
"service_name": "lpd",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "PT",
"asn": 211680,
"org": "Sistemas Informaticos, S.A.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "27ed7550f3309fa81e5ebab60cd994eb",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 515,
"service": "lpd",
"service_name": "lpd",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05b3\ufffd\ufffd\u0001Y\ufffd\u44d4\ufffd\ufffdq\ufffdmD\u001c\ufffd\ufffd\ufffd\u000e2\ufffd\ufffdM\ufffdbB\ufffd \ufffd\t*6\u000230\ufffd\ufffd\ufcd3\ufffd=o\ufffd\ufffd\ufffd\ufffd\u0000\ufffd\ufffdXv\ufffd\u001bh\ufffdUz<q\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05b3\ufffd\ufffd\u0001Y\ufffd\u44d4\ufffd\ufffdq\ufffdmD\u001c\ufffd\ufffd\ufffd\u000e2\ufffd\ufffdM\ufffdbB\ufffd \ufffd\t*6\u000230\ufffd\ufffd\ufcd3\ufffd=o\ufffd\ufffd\ufffd\ufffd\u0000\ufffd\ufffdXv\ufffd\u001bh\ufffdUz<q\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0018E+\ufffd\ufffd,\ufffdfAQpL\u0016\u04e5c\ufffdL\ufffd\ufffd\ufffd\ufffd\u0016\ufffd\u0006F\ufffd\ufffd!jG\f",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05b3\ufffd\ufffd\u0001Y\ufffd\u44d4\ufffd\ufffdq\ufffdmD\u001c\ufffd\ufffd\ufffd\u000e2\ufffd\ufffdM\ufffdbB\ufffd \ufffd\t*6\u000230\ufffd\ufffd\ufcd3\ufffd=o\ufffd\ufffd\ufffd\ufffd\u0000\ufffd\ufffdXv\ufffd\u001bh\ufffdUz<q\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "361dc34f5d8b5d6c0d4619e64f960b57b92d4e5f",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05b3\ufffd\ufffd\u0001Y\ufffd\u44d4\ufffd\ufffdq\ufffdmD\u001c\ufffd\ufffd\ufffd\u000e2\ufffd\ufffdM\ufffdbB\ufffd \ufffd\t*6\u000230\ufffd\ufffd\ufcd3\ufffd=o\ufffd\ufffd\ufffd\ufffd\u0000\ufffd\ufffdXv\ufffd\u001bh\ufffdUz<q\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 515,
"service": "lpd",
"service_label_fr": "LPD"
},
"evidence_snippet": "\ufffd\ufffd\u05b3\ufffd\ufffdY\ufffd\u44d4\ufffd\ufffdq\ufffdmD\ufffd\ufffd\ufffd2\ufffd\ufffdM\ufffdbB\ufffd \ufffd\t*630\ufffd\ufffd\ufcd3\ufffd=o\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdXv\ufffdh\ufffdUz<q&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via LPD:515 \u00b7 (sonde \/ probe)",
"target_port_label": "515 \u00b7 LPD",
"emulator_service": "lpd",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 59,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 10
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "lpd",
"service_label_fr": "LPD",
"dst_port": 515,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-lpd",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05b3\ufffd\ufffd\u0001Y\ufffd\u44d4\ufffd\ufffdq\ufffdmD\u001c\ufffd\ufffd\ufffd\u000e2\ufffd\ufffdM\ufffdbB\ufffd \ufffd\t*6\u000230\ufffd\ufffd\ufcd3\ufffd=o\ufffd\ufffd\ufffd\ufffd\u0000\ufffd\ufffdXv\ufffd\u001bh\ufffdUz<q\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 515,
"service": "lpd",
"service_label_fr": "LPD"
},
"attack_vector": "postgres probe \u00b7 via LPD:515 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\u05b3\ufffd\ufffdY\ufffd\u44d4\ufffd\ufffdq\ufffdmD\ufffd\ufffd\ufffd2\ufffd\ufffdM\ufffdbB\ufffd \ufffd\t*630\ufffd\ufffd\ufcd3\ufffd=o\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdXv\ufffdh\ufffdUz<q&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "515 \u00b7 LPD",
"emulator_service": "lpd",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.156.129.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "lpd",
"service_banner": "honeypot-lpd",
"service_os": "linux",
"dst_port": "515"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "45.156.129.0\/24",
"coordinated_ip_count": 4,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
]
}
|
|
|
TCP |
515 · LPD
|
lpd
|
lpd
lpd · via LPD:515 · (sonde / probe)
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
LPD
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
515
Chemin / cible
—
Pourquoi cette classification : Type « lpd » (signaux protocolaires) · confiance 0%
Confiance classification
10%
Corrélation +10
Risque capteur
Faible
· 0
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206c706420726561647920706f72743d3531350d0a",
"emulator_response_len": 33,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Sistemas Informaticos, S.A.",
"service": "lpd",
"app_proto": "lpd",
"asn": 211680,
"country": "PT",
"dst_port": 515,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4fe2a5980ed711910f8d59416d28e6ba0238e0fc",
"event_fingerprint": "a19fd83a9856f1c122b80b6c10e618dae1ce3474",
"classification_reason": "Type \u00ab lpd \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0.1,
"classification_confidence": 0.1,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0,
"correlation_boost": 10
},
"named_classification_skipped": false,
"service_name": "lpd",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "PT",
"asn": 211680,
"org": "Sistemas Informaticos, S.A.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "ebe4a1b422624ccc71016f86c2a12169"
},
"target_context": {
"dst_port": 515,
"service": "lpd",
"service_name": "lpd",
"risk_score": 0
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "cd4aaa543fe38cb31fae51d7a36c6f564a317cd7",
"protocol_details": {
"port": 515,
"service": "lpd",
"service_label_fr": "LPD"
},
"attack_vector": "lpd \u00b7 via LPD:515 \u00b7 (sonde \/ probe)",
"target_port_label": "515 \u00b7 LPD",
"emulator_service": "lpd",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lpd \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab lpd \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 10,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0,
"correlation_boost": 10
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "lpd",
"service_label_fr": "LPD",
"dst_port": 515,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-lpd",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"port": 515,
"service": "lpd",
"service_label_fr": "LPD"
},
"attack_vector": "lpd \u00b7 via LPD:515 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "515 \u00b7 LPD",
"emulator_service": "lpd",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": "Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.156.129.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "lpd",
"service_banner": "honeypot-lpd",
"service_os": "linux",
"dst_port": "515"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "45.156.129.0\/24",
"coordinated_ip_count": 4,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
111 · RPCBIND
|
rpcbind
|
rpcbind
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0007
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
111
Chemin / cible
—
Pourquoi cette classification : Type « rpcbind » (signaux protocolaires) · confiance 0%
Confiance classification
10%
Corrélation +10
Risque capteur
Faible
· 0
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f742072706362696e6420726561647920706f72743d3131310d0a",
"emulator_response_len": 37,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Sistemas Informaticos, S.A.",
"service": "rpcbind",
"app_proto": "rpcbind",
"asn": 211680,
"country": "PT",
"dst_port": 111,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "cb7111b7025c2cce60546a645a18f17eb43006a0",
"event_fingerprint": "12ba1c68e7492175a269709e3873ed5d3d0923fd",
"classification_reason": "Type \u00ab rpcbind \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0.1,
"classification_confidence": 0.1,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0,
"correlation_boost": 10
},
"named_classification_skipped": false,
"service_name": "rpcbind",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "PT",
"asn": 211680,
"org": "Sistemas Informaticos, S.A.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "b7f2141eed144d4380620b7f10620b31"
},
"target_context": {
"dst_port": 111,
"service": "rpcbind",
"service_name": "rpcbind",
"risk_score": 0
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "70522d32cd25e64a525f7e82a96117e915f29018",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab rpcbind \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab rpcbind \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence_pct": 10,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0,
"correlation_boost": 10
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "rpcbind",
"service_label_fr": "RPCBIND",
"dst_port": 111,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-rpcbind",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10"
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "rpcbind",
"service_banner": "honeypot-rpcbind",
"service_os": "linux",
"dst_port": "111"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "45.156.129.0\/24",
"coordinated_ip_count": 3,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
111 · RPCBIND
|
rpcbind
|
Botnet Mozi
|
Élevée
|
Faible · 37
|
|
Étape
Commande & contrôle
Chaîne
Commande & contrôle
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0011
TA0011
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
mozi_pattern
net_mozi_pattern
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
111
Chemin / cible
—
Pourquoi cette classification : Type « mozi_pattern » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 37
Protocole émulé
1
Technique MITRE
TA0011
Tactiques MITRE
TA0011
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:111
User-Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:111 User-Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f742072706362696e6420726561647920706f72743d3131310d0a",
"emulator_response_len": 37,
"bytes_in": 175,
"payload_entropy": 5.291371312992715,
"port_category": "well_known",
"org": "Sistemas Informaticos, S.A.",
"service": "rpcbind",
"app_proto": "rpcbind",
"asn": 211680,
"country": "PT",
"dst_port": 111,
"risk_waf": 8,
"risk_classification": 82,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 15,
"risk_boost": 20,
"risk_granularity": 3.9,
"risk_breakdown": {
"waf": 8,
"classification": 82,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15
},
"risk_score": 37,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ff25e54bfe7045a1e525609b697a265eaa09427f",
"event_fingerprint": "d3ff69bb1cff7aa60df81a54376689f2510b9878",
"classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 82,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15,
"risk_score": 37
},
"named_classification_skipped": false,
"service_name": "rpcbind",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "PT",
"asn": 211680,
"org": "Sistemas Informaticos, S.A.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c6ff5ac52bd8892a32afeffac34a60b1",
"path_pattern_hash": "762d384fab941f6d0c2239f19994f30e"
},
"target_context": {
"dst_port": 111,
"service": "rpcbind",
"service_name": "rpcbind",
"risk_score": 37
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:111\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:111\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:111\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:111\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:111\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari",
"classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "c2",
"mitre_tactics": [
"TA0011"
],
"mitre": "TA0011",
"threat_family": [
"botnet"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8faaef2204446ba3697be6bf67a2002cdfa6b802",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 82,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15,
"risk_score": 37
},
"attack_stage": "c2",
"attack_stage_label": "Commande & contr\u00f4le",
"attack_chain_stage": "command_and_control",
"attack_chain_stage_label_fr": "Commande & contr\u00f4le",
"risk_score": 37,
"risk_label": "Faible",
"service_name": "rpcbind",
"service_label_fr": "RPCBIND",
"dst_port": 111,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0011",
"mitre_technique": "TA0011",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-rpcbind",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "rpcbind",
"service_banner": "honeypot-rpcbind",
"service_os": "linux",
"dst_port": "111"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "command_and_control",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"mozi_pattern",
"net_mozi_pattern"
]
}
|
|
|
TCP |
9200 · ELASTICSEARCH
|
elasticsearch
|
Sonde HTTP
|
Élevée
|
Moyen · 42
|
|
Étape
Sonde / probe
Corrélations
Scan coordonné
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950470:nosqli-3
net_elasticsearch_probe
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9200
Chemin / cible
/favicon.ico
Pourquoi cette classification : Sonde HTTP (tag nosqli-3) · confiance 56%
Confiance classification
66%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET /favicon.ico HTTP/1.1
User-Agent
Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.36
Règles WAF
nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:9200
User-Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.63
Requête brute (extrait)
GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:9200 User-Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c",
"emulator_response_len": 172,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "c7e3312ad89b5c953c233d6bb536f12495aec80f",
"http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 187,
"payload_entropy": 5.3288873388407865,
"port_category": "registered",
"org": "Sistemas Informaticos, S.A.",
"service": "elasticsearch",
"app_proto": "elasticsearch",
"asn": 211680,
"country": "PT",
"dst_port": 9200,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.5,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "cbed9873b865aaa34a4d0f997c3f493fe9bcb2ad",
"event_fingerprint": "d56e2e2981aa481456b9c9cc637fe7e2eb474b59",
"classification_reason": "Sonde HTTP (tag nosqli-3) \u00b7 confiance 56%",
"confidence": 0.66,
"classification_confidence": 0.66,
"precision_score": 62,
"precision_signals": [
"INT-benign-favicon",
"INT-benign-path-cap"
],
"kb_rule_ids": [
"INT-benign-favicon",
"INT-benign-path-cap"
],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 10
},
"named_classification_skipped": false,
"service_name": "elasticsearch",
"risk_confidence_factor": 56,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "PT",
"asn": 211680,
"org": "Sistemas Informaticos, S.A.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "4dcb5466a1cf9e92d38fdee8553b0c1e",
"payload_hash": "bacfcc494f1dc80d22606c323b030a56",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 9200,
"service": "elasticsearch",
"service_name": "elasticsearch",
"risk_score": 42
},
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.63",
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36",
"waf_tags": [
"950470:nosqli-3"
],
"waf_rule_names": [
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.63",
"evidence": {
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36",
"waf_tags": [
"950470:nosqli-3"
],
"waf_rule_names": [
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.63",
"classification_reason": "Sonde HTTP (tag nosqli-3) \u00b7 confiance 56%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "80ef979ac1222554e1db5876ee8d2d576f86b279",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "elasticsearch",
"service_banner": "Elasticsearch 8.11",
"service_os": "linux",
"dst_port": "9200"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "45.156.129.0\/24",
"coordinated_ip_count": 3,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "probe",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950470:nosqli-3",
"net_elasticsearch_probe"
]
}
|
|
|
TCP |
16992
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
16992
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
16992
|
ssh
|
Sonde SSH
|
Élevée
|
Élevé · 74
|
|
Étape
—
WAF
—
Recommandation
—
Tags
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
5432
|
postgres
|
postgres attack
|
Élevée
|
Élevé · 72
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
5432
|
postgres
|
postgres attack
|
Élevée
|
Élevé · 72
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
3541
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
3541
|
http
|
Sonde HTTP
|
Élevée
|
Moyen · 57
|
|
Étape
—
WAF
9
Recommandation
—
Tags
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
3541
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.36
Règles WAF
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "c7e3312ad89b5c953c233d6bb536f12495aec80f",
"http_host_hash": "bbf3847167b1a2674fc541e6603fa4217338b826",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 176,
"payload_entropy": 5.310399134391307,
"port_category": "registered",
"org": "Sistemas Informaticos, S.A.",
"service": "http",
"app_proto": "http",
"asn": 211680,
"country": "PT",
"tag_count": 2,
"anomaly_count": 0,
"risk_score": 57,
"campaign_key": "2133e3eee6964c7577c01e47a92dfcba30e08dca",
"event_fingerprint": "4c38537176be6e0eac5e1d50eb8de4dace3192f5",
"tags_list": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
2081
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
2081
|
http
|
Sonde HTTP
|
Élevée
|
Moyen · 57
|
|
Étape
—
WAF
9
Recommandation
—
Tags
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2081
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.36
Règles WAF
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "c7e3312ad89b5c953c233d6bb536f12495aec80f",
"http_host_hash": "38557ca76ddb5a88f882027ad78428feeb57e74d",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 176,
"payload_entropy": 5.309316017429129,
"port_category": "registered",
"org": "Sistemas Informaticos, S.A.",
"service": "http",
"app_proto": "http",
"asn": 211680,
"country": "PT",
"tag_count": 2,
"anomaly_count": 0,
"risk_score": 57,
"campaign_key": "85ad6526636e348b596b0eb98526cf9c16e2a98e",
"event_fingerprint": "783be060a3b8bfdfe24c83b57905a3df95d39295",
"tags_list": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
8060
|
ssh
|
Sonde SSH
|
Élevée
|
Élevé · 74
|
|
Étape
—
WAF
—
Recommandation
—
Tags
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
8060
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
8060
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
8060
|
http
|
Sonde HTTP
|
Élevée
|
Moyen · 57
|
|
Étape
—
WAF
9
Recommandation
—
Tags
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8060
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.36
Règles WAF
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "c7e3312ad89b5c953c233d6bb536f12495aec80f",
"http_host_hash": "659aba210ed45d12732dc398ec420869b9d4d3d3",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 176,
"payload_entropy": 5.305594301337916,
"port_category": "registered",
"org": "Sistemas Informaticos, S.A.",
"service": "http",
"app_proto": "http",
"asn": 211680,
"country": "PT",
"tag_count": 2,
"anomaly_count": 0,
"risk_score": 57,
"campaign_key": "bdf5062c7916e5fc97ab1165fd978097825a0877",
"event_fingerprint": "c97a0be0fedbb760e93fde1fabb9499c3d1d4987",
"tags_list": [
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|