Détails IP 45.156.129.67

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « postgres_probe » (signaux protocolaires) · confiance 49%

Confiance 59 % — Score WAF 8 · Bonus corrélation +10

Comparaison ASN / FAI

ASN 211680 · 45.156.129.0/24 · RIPENCC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 9 événements sur la période pour cette IP.

45.156.129.91 Sonde HTTP 21/06/2026 02:28 UTC
45.156.129.90 webmin probe 21/06/2026 02:27 UTC
45.156.128.59 Sonde HTTP 21/06/2026 02:19 UTC
45.156.128.57 Sonde HTTP 21/06/2026 02:18 UTC
45.156.128.56 Sonde HTTP 21/06/2026 02:18 UTC
45.156.128.58 Sonde HTTP 20/06/2026 23:32 UTC
45.156.129.77 Sonde HTTP 20/06/2026 23:25 UTC
45.156.129.75 Sonde HTTP 20/06/2026 23:25 UTC

IPs apparentées

Même FAI Sistemas Informaticos, S.A. — corrélation indicative.

45.156.129.91 Sonde HTTP
45.156.129.90 webmin probe
45.156.128.59 Sonde HTTP
45.156.128.57 Sonde HTTP
45.156.128.56 Sonde HTTP

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

TLS TCP 3 QOTD TCP 3 DNS TCP 1 HTTP TCP 1 HTTPS TCP 1

TLS

3

QOTD

3

DNS

1

HTTP

1

HTTPS

1

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

De

À

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

9 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
20/06/2026 20:26:19 UTC	TCP	17 · QOTD	qotd	Sonde PostgreSQL postgres probe · via QOTD:17 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole JA3 02f32644e1b0655c Émulateur QOTD WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 17 Chemin / cible — Service QOTD Payload ��$�c�!�n<Z"Vt��`9�5�IT�Y�B�� /5� �$�#� � ��(�'��=<5/ ��+�/�. Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 59% Corrélation +10 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��$�c�!�n<Z"Vt��`9�5�IT�Y�B�� /5� �$�#� � ��(�'��=<5/ ��+�/�. Requête brute (extrait) ��$�c�!�n<Z"Vt��`9�5�IT�Y�B�� /5� �$�#� � ��(�'��=<5/ ��+�/�. � Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420716f746420726561647920706f72743d31370d0a", "emulator_response_len": 33, "bytes_in": 162, "payload_entropy": 4.714980104043243, "port_category": "well_known", "org": "Sistemas Informaticos, S.A.", "service": "qotd", "app_proto": "qotd", "asn": 211680, "country": "PT", "dst_port": 17, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "aeb78d8f632ef5bf5dec7d24f95e62262b4fe93b", "event_fingerprint": "917c51aa556584d547f732d57cbdec61e7567771", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "qotd", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PT", "asn": 211680, "org": "Sistemas Informaticos, S.A.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8326b9a1706932e467746937995b1988", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "02f32644e1b0655c19aaa3a2d6778b1e", "ja4": "a3533e7527e047470b74402d4bc8a6dd", "tls_version": "0x0303", "tls_cipher_count": 33, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "02f32644e1b0655c19aaa3a2d6778b1e", "tls_ja3": "771,49169-49159-49171-49161-49172-49162-5-47-53-49170-10-49188-49187-49162-49161-49160-49192-49191-49172-49171-49170-61-60-53-47-10-49159-49169-5-4-49195-49199-156,5-10-11-13-65281,23-24-25,0", "tls_ja4_hash": "a3533e7527e047470b74402d4bc8a6dd", "tls_ja4": "t13d0133_ad3470b4f447_40d2e578a3e2", "tls_version": "0x0303", "tls_cipher_count": 33, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 17, "service": "qotd", "service_name": "qotd", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\u0018$\u0011\ufffdc\ufffd!\u0001\ufffdn<Z\"Vt\ufffd\u0000\ufffd`9\ufffd5\u0006\ufffdIT\ufffdY\ufffd\u0000\u0000B\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\n\ufffd\t\ufffd\b\ufffd(\ufffd'\ufffd\u0014\ufffd\u0013\ufffd\u0012\u0000=\u0000<\u00005\u0000\/\u0000\n\ufffd\u0007\ufffd\u0011\u0000\u0005\u0000\u0004\ufffd+\ufffd\/\u0000\ufffd\u0001\u0000\u0000.\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\u0018$\u0011\ufffdc\ufffd!\u0001\ufffdn<Z\"Vt\ufffd\u0000\ufffd`9\ufffd5\u0006\ufffdIT\ufffdY\ufffd\u0000\u0000B\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\n\ufffd\t\ufffd\b\ufffd(\ufffd'\ufffd\u0014\ufffd\u0013\ufffd\u0012\u0000=\u0000<\u00005\u0000\/\u0000\n\ufffd\u0007\ufffd\u0011\u0000\u0005\u0000\u0004\ufffd+\ufffd\/\u0000\ufffd\u0001\u0000\u0000.\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\n\u0000\b\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\u0018$\u0011\ufffdc\ufffd!\u0001\ufffdn<Z\"Vt\ufffd\u0000\ufffd`9\ufffd5\u0006\ufffdIT\ufffdY\ufffd\u0000\u0000B\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\n\ufffd\t\ufffd\b\ufffd(\ufffd'\ufffd\u0014\ufffd\u0013\ufffd\u0012\u0000=\u0000<\u00005\u0000\/\u0000\n\ufffd\u0007\ufffd\u0011\u0000\u0005\u0000\u0004\ufffd+\ufffd\/\u0000\ufffd\u0001\u0000\u0000.\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9633af850c56057da01d27096675a6a9ffa062cb", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\u0018$\u0011\ufffdc\ufffd!\u0001\ufffdn<Z\"Vt\ufffd\u0000\ufffd`9\ufffd5\u0006\ufffdIT\ufffdY\ufffd\u0000\u0000B\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\n\ufffd\t\ufffd\b\ufffd(\ufffd'\ufffd\u0014\ufffd\u0013\ufffd\u0012\u0000=\u0000<\u00005\u0000\/\u0000\n\ufffd\u0007\ufffd\u0011\u0000\u0005\u0000\u0004\ufffd+\ufffd\/\u0000\ufffd\u0001\u0000\u0000.\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000", "tls_ja3": "02f32644e1b0655c19aaa3a2d6778b1e", "tls_ja4": "a3533e7527e047470b74402d4bc8a6dd", "port": 17, "service": "qotd", "service_label_fr": "QOTD" }, "evidence_snippet": "\ufffd\ufffd\ufffd$\ufffdc\ufffd!\ufffdn<Z\"Vt\ufffd\ufffd`9\ufffd5\ufffdIT\ufffdY\ufffdB\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n\ufffd$\ufffd#\ufffd\n\ufffd\t\ufffd\ufffd(\ufffd'\ufffd\ufffd\ufffd=<5\/\n\ufffd\ufffd\ufffd+\ufffd\/\ufffd.", "attack_vector": "postgres probe \u00b7 via QOTD:17 \u00b7 (sonde \/ probe)", "target_port_label": "17 \u00b7 QOTD", "emulator_service": "qotd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 59, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 35, "risk_label": "Faible", "service_name": "qotd", "service_label_fr": "QOTD", "dst_port": 17, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-qotd", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\u0018$\u0011\ufffdc\ufffd!\u0001\ufffdn<Z\"Vt\ufffd\u0000\ufffd`9\ufffd5\u0006\ufffdIT\ufffdY\ufffd\u0000\u0000B\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\n\ufffd\t\ufffd\b\ufffd(\ufffd'\ufffd\u0014\ufffd\u0013\ufffd\u0012\u0000=\u0000<\u00005\u0000\/\u0000\n\ufffd\u0007\ufffd\u0011\u0000\u0005\u0000\u0004\ufffd+\ufffd\/\u0000\ufffd\u0001\u0000\u0000.\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000", "tls_ja3": "02f32644e1b0655c19aaa3a2d6778b1e", "tls_ja4": "a3533e7527e047470b74402d4bc8a6dd", "port": 17, "service": "qotd", "service_label_fr": "QOTD" }, "attack_vector": "postgres probe \u00b7 via QOTD:17 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd*$\ufffdc\ufffd!\ufffdn<Z\"Vt\ufffd\ufffd`9\ufffd5\ufffdIT\ufffdY\ufffdB\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n\ufffd$\ufffd#\ufffd\n\ufffd\t\ufffd\ufffd(\ufffd'\ufffd\ufffd\ufffd=<5\/\n\ufffd\ufffd\ufffd+\ufffd\/\ufffd.", "target_port_label": "17 \u00b7 QOTD", "emulator_service": "qotd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.156.129.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "qotd", "service_banner": "honeypot-qotd", "service_os": "linux", "dst_port": "17" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.156.129.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ] }
20/06/2026 20:26:19 UTC	TCP	17 · QOTD	qotd	Sonde PostgreSQL postgres probe · via QOTD:17 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole JA3 35fa0a83e466acbe Émulateur QOTD WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 17 Chemin / cible — Service QOTD Payload �� ׵:��m��K�0�ۅ��S ��.� Z��\|d��s�J�r1�Cr_�q\|6��&̨̩�/�0�+�,�� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 59% Corrélation +10 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �� ׵:��m��K�0�ۅ��S ��.�Z��\|d��s�J�r1�Cr_�q\|6��&̨̩�/�0�+�,�� /5� w Requête brute (extrait) �� ׵:��m��K�0�ۅ��S ��.� Z��\|d��s�J�r1�Cr_�q\|6��&̨̩�/�0�+�,�� /5� w �+3&$ x�᫣e�n��B"�n�V9gḰ�;�X#�<�^ Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420716f746420726561647920706f72743d31370d0a", "emulator_response_len": 33, "bytes_in": 239, "payload_entropy": 5.879757430502561, "port_category": "well_known", "org": "Sistemas Informaticos, S.A.", "service": "qotd", "app_proto": "qotd", "asn": 211680, "country": "PT", "dst_port": 17, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "aeb78d8f632ef5bf5dec7d24f95e62262b4fe93b", "event_fingerprint": "917c51aa556584d547f732d57cbdec61e7567771", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "qotd", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PT", "asn": 211680, "org": "Sistemas Informaticos, S.A.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e14ef44aae0fd74f0da8c0539b4ca3f9", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "35fa0a83e466acbec1cfbb9016d550ab", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 17, "service": "qotd", "service_name": "qotd", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000e\u001d\u0006\t\ufffd\ufffd\ufffd\u05f5:\ufffd\ufffd\ufffdm\ufffd\ufffd\ufffdK\ufffd0\ufffd\u06c5\ufffd\ufffd\ufffdS\ued9d \ufffd\ufffd.\ufffd\u000bZ\ufffd\ufffd\|d\u0014\ufffd\ufffd\ufffds\ufffdJ\ufffdr1\ufffd\u0002Cr_\ufffdq\|6\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000e\u001d\u0006\t\ufffd\ufffd\ufffd\u05f5:\ufffd\ufffd\ufffdm\ufffd\ufffd\ufffdK\ufffd0\ufffd\u06c5\ufffd\ufffd\ufffdS\ued9d \ufffd\ufffd.\ufffd\u000bZ\ufffd\ufffd\|d\u0014\ufffd\ufffd\ufffds\ufffdJ\ufffdr1\ufffd\u0002Cr_\ufffdq\|6\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 x\ufffd\u1ae3e\ufffdn\ufffd\ufffdB\"\ufffdn\ufffdV9g\u1e30\ufffd;\ufffd\u0017X#\ufffd<\u0000\ufffd^", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000e\u001d\u0006\t\ufffd\ufffd\ufffd\u05f5:\ufffd\ufffd\ufffdm\ufffd\ufffd\ufffdK\ufffd0\ufffd\u06c5\ufffd\ufffd\ufffdS\ued9d \ufffd\ufffd.\ufffd\u000bZ\ufffd\ufffd\|d\u0014\ufffd\ufffd\ufffds\ufffdJ\ufffdr1\ufffd\u0002Cr_\ufffdq\|6\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5a6fdedfc9ff4d2042674156eaba989d3bc334a3", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000e\u001d\u0006\t\ufffd\ufffd\ufffd\u05f5:\ufffd\ufffd\ufffdm\ufffd\ufffd\ufffdK\ufffd0\ufffd\u06c5\ufffd\ufffd\ufffdS\ued9d \ufffd\ufffd.\ufffd\u000bZ\ufffd\ufffd\|d\u0014\ufffd\ufffd\ufffds\ufffdJ\ufffdr1\ufffd\u0002Cr_\ufffdq\|6\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 17, "service": "qotd", "service_label_fr": "QOTD" }, "evidence_snippet": "\ufffd\ufffd\ufffd\t\ufffd\ufffd\ufffd\u05f5:\ufffd\ufffd\ufffdm\ufffd\ufffd\ufffdK\ufffd0\ufffd\u06c5\ufffd\ufffd\ufffdS\ued9d \ufffd\ufffd.\ufffdZ\ufffd\ufffd\|d\ufffd\ufffd\ufffds\ufffdJ\ufffdr1\ufffdCr_\ufffdq\|6\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via QOTD:17 \u00b7 (sonde \/ probe)", "target_port_label": "17 \u00b7 QOTD", "emulator_service": "qotd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 59, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 35, "risk_label": "Faible", "service_name": "qotd", "service_label_fr": "QOTD", "dst_port": 17, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-qotd", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000e\u001d\u0006\t\ufffd\ufffd\ufffd\u05f5:\ufffd\ufffd\ufffdm\ufffd\ufffd\ufffdK\ufffd0\ufffd\u06c5\ufffd\ufffd\ufffdS\ued9d \ufffd\ufffd.\ufffd\u000bZ\ufffd\ufffd\|d\u0014\ufffd\ufffd\ufffds\ufffdJ\ufffdr1\ufffd\u0002Cr_\ufffdq\|6\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 17, "service": "qotd", "service_label_fr": "QOTD" }, "attack_vector": "postgres probe \u00b7 via QOTD:17 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\t\ufffd\ufffd\ufffd\u05f5:\ufffd\ufffd\ufffdm\ufffd\ufffd\ufffdK\ufffd0\ufffd\u06c5\ufffd\ufffd\ufffdS\ued9d \ufffd\ufffd.\ufffdZ\ufffd\ufffd\|d\ufffd\ufffd\ufffds\ufffdJ\ufffdr1\ufffdCr_\ufffdq\|6\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "17 \u00b7 QOTD", "emulator_service": "qotd", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.156.129.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "qotd", "service_banner": "honeypot-qotd", "service_os": "linux", "dst_port": "17" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.156.129.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ] }
20/06/2026 20:25:55 UTC	TCP	17 · QOTD	qotd	qotd qotd · via QOTD:17 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur QOTD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 17 Chemin / cible — Service QOTD Pourquoi cette classification : Type « qotd » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420716f746420726561647920706f72743d31370d0a", "emulator_response_len": 33, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "Sistemas Informaticos, S.A.", "service": "qotd", "app_proto": "qotd", "asn": 211680, "country": "PT", "dst_port": 17, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "9bbf135711d578340bd2329bf98a00cd3bf1730f", "event_fingerprint": "917c51aa556584d547f732d57cbdec61e7567771", "classification_reason": "Type \u00ab qotd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "named_classification_skipped": false, "service_name": "qotd", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PT", "asn": 211680, "org": "Sistemas Informaticos, S.A.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "85ecca49316f7490cf28e0cb3be5f1bf" }, "target_context": { "dst_port": 17, "service": "qotd", "service_name": "qotd", "risk_score": 0 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6da6627042a760a80958b292cc2bb479d9fc09f3", "protocol_details": { "port": 17, "service": "qotd", "service_label_fr": "QOTD" }, "attack_vector": "qotd \u00b7 via QOTD:17 \u00b7 (sonde \/ probe)", "target_port_label": "17 \u00b7 QOTD", "emulator_service": "qotd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab qotd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab qotd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 0, "risk_label": "Faible", "service_name": "qotd", "service_label_fr": "QOTD", "dst_port": 17, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-qotd", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 17, "service": "qotd", "service_label_fr": "QOTD" }, "attack_vector": "qotd \u00b7 via QOTD:17 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "17 \u00b7 QOTD", "emulator_service": "qotd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "qotd", "service_banner": "honeypot-qotd", "service_os": "linux", "dst_port": "17" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
19/06/2026 19:04:42 UTC	TCP	9443 · HTTPS	https	Botnet Mozi mozi pattern · via HTTPS:9443 · (commande & contrôle)	Élevée	Moyen · 48
Étape Commande & contrôle Chaîne Commande & contrôle Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0011 TA0011 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET / HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.86 Safar Pourquoi cette classification : Type « mozi_pattern » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 48 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0600 Technique MITRE TA0011 Tactiques MITRE TA0011 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.86 Safar Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 176, "payload_entropy": 5.340054139782635, "port_category": "registered", "org": "Sistemas Informaticos, S.A.", "service": "https", "app_proto": "https", "asn": 211680, "country": "PT", "dst_port": 9443, "risk_waf": 8, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 82, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 48, "tag_count": 5, "anomaly_count": 0, "campaign_key": "a15b6ac50d8b6429471e319af39d53f15f115a1e", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0600" ], "classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 82, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 48 }, "service_name": "https", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PT", "asn": 211680, "org": "Sistemas Informaticos, S.A.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9f3fcaf5b20d89b1898c49417c7c4257", "path_pattern_hash": "762d384fab941f6d0c2239f19994f30e" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 48 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safar", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safar", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safar", "classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "c2", "mitre_tactics": [ "TA0011" ], "mitre": "TA0011", "threat_family": [ "botnet" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "95c6bedd6ed2cc68b29cc68df4f5ed810495a9d7", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safar", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safar", "attack_vector": "mozi pattern \u00b7 via HTTPS:9443 \u00b7 (commande & contr\u00f4le)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0011 \u2014 confiance 50 % \u2014 via HTTPS", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 82, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 48 }, "attack_stage": "c2", "attack_stage_label": "Commande & contr\u00f4le", "attack_chain_stage": "command_and_control", "attack_chain_stage_label_fr": "Commande & contr\u00f4le", "risk_score": 48, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0600" ], "tags_summary_labels_fr": [ "pat-0600" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0011", "mitre_technique": "TA0011", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safar", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "mozi pattern \u00b7 via HTTPS:9443 \u00b7 (commande & contr\u00f4le)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safar", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": true, "kind": "stage" }, { "key": "command_and_control", "label_fr": "Commande & contr\u00f4le", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "command_and_control", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "websphere_probe" ] }
29/05/2026 20:28:52 UTC	TCP	3001	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
25/05/2026 03:37:49 UTC	TCP	3389	tls	Sonde TLS	Élevée	Élevé · 81
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
22/05/2026 06:16:28 UTC	TCP	53	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
22/05/2026 06:16:20 UTC	TCP	53	dns	dns	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
22/05/2026 06:16:07 UTC	TCP	53	http	Sonde HTTP	Élevée	Moyen · 57
Étape — WAF 9 Recommandation — Tags 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 53 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.36 Règles WAF 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "c7e3312ad89b5c953c233d6bb536f12495aec80f", "http_host_hash": "ba2c61536df555abe5a29ad1853f13ab33cfdcb6", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.289954548993219, "port_category": "well_known", "org": "Sistemas Informaticos, S.A.", "service": "http", "app_proto": "http", "asn": 211680, "country": "PT", "tag_count": 2, "anomaly_count": 0, "risk_score": 57, "campaign_key": "2381f617fa15d8ed9f15cf4cbc70d9d80c51dc31", "event_fingerprint": "19d8b37f8e9cb469b34abf618b544d16a0733744", "tags_list": [ "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

45.156.129.67

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence