Détails IP 45.156.129.78

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Sonde HTTP (tag nosqli-3) · confiance 74%

Confiance 74 % — Score WAF 44 · 2 tag(s) WAF

Comparaison ASN / FAI

ASN 211680 · 45.156.129.0/24 · RIPENCC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 13 événements sur la période pour cette IP.

45.156.129.91 Sonde HTTP 21/06/2026 02:28 UTC
45.156.129.90 webmin probe 21/06/2026 02:27 UTC
45.156.128.59 Sonde HTTP 21/06/2026 02:19 UTC
45.156.128.57 Sonde HTTP 21/06/2026 02:18 UTC
45.156.128.56 Sonde HTTP 21/06/2026 02:18 UTC
45.156.128.58 Sonde HTTP 20/06/2026 23:32 UTC
45.156.129.77 Sonde HTTP 20/06/2026 23:25 UTC
45.156.129.75 Sonde HTTP 20/06/2026 23:25 UTC

IPs apparentées

Même FAI Sistemas Informaticos, S.A. — corrélation indicative.

45.156.129.91 Sonde HTTP
45.156.129.90 webmin probe
45.156.128.59 Sonde HTTP
45.156.128.57 Sonde HTTP
45.156.128.56 Sonde HTTP

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

TLS TCP 3 SIP TCP 2 HTTP TCP 2 PLEX TCP 2 QOTD TCP 1 SSH TCP 1 HTTPS TCP 1

TLS

3

SIP

2

HTTP

2

PLEX

2

QOTD

1

SSH

1

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

De

À

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

13 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
20/06/2026 20:45:16 UTC	TCP	8880 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8880 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0… Émulateur HTTP WAF 9 Recommandation Surveiller Tags 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8880 Chemin / cible / Service HTTP Pourquoi cette classification : Sonde HTTP (tag nosqli-3) · confiance 74% Confiance classification 74% Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 44 · 2 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.36 Règles WAF nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8880 User-Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.86 Safar Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8880 User-Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "c7e3312ad89b5c953c233d6bb536f12495aec80f", "http_host_hash": "705e57393925ae4499d6cc481be3dac8642e294d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 176, "payload_entropy": 5.314172568407955, "port_category": "registered", "org": "Sistemas Informaticos, S.A.", "service": "http", "app_proto": "http", "asn": 211680, "country": "PT", "dst_port": 8880, "risk_waf": 44, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.3, "risk_breakdown": { "waf": 44, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e755a718bcb6285ca3995c756527c57ce5bbc41b", "event_fingerprint": "bddd1ca543f3439367356d76283924726b205ea6", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PT", "asn": 211680, "org": "Sistemas Informaticos, S.A.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4dcb5466a1cf9e92d38fdee8553b0c1e", "payload_hash": "a1f41c1bc7b32d3ce0dc8a93eb566d22", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "service_name": "http", "target_context": { "dst_port": 8880, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safar", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36", "waf_tags": [ "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safar", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36", "waf_tags": [ "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safar", "classification_reason": "Sonde HTTP (tag nosqli-3) \u00b7 confiance 74%" }, "classification_reason": "Sonde HTTP (tag nosqli-3) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 44, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "837ecaf0977e882dd6d73226a1fb27e22c3779ad", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36", "port": 8880, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safar", "attack_vector": "Sonde HTTP \u00b7 via HTTP:8880 \u00b7 (sonde \/ probe)", "target_port_label": "8880 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 44 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag nosqli-3) \u00b7 confiance 74%", "classification_reason_label_fr": "Sonde HTTP (tag nosqli-3) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 74, "confidence_breakdown": { "waf": 44, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8880, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36", "port": 8880, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8880 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safar", "target_port_label": "8880 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 44 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 74 % \u2014 Score WAF 44 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ] }
19/06/2026 06:59:49 UTC	TCP	32400 · PLEX	plex	Sonde PostgreSQL postgres probe · via PLEX:32400 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 35fa0a83e466acbe Émulateur PLEX WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 32400 Chemin / cible — Service PLEX Payload �� T�q`�Ma>�K��E� %��E 4B;I�p ��;�Oi��c�\|�Į��>��]�&̨̩�/�0�+�,�� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 67% Corrélation +18 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��T�q`�Ma>�K��E� %��E 4B;I�p ��;�Oi��c�\|�Į��>��]�&̨̩�/�0�+�,�� /5� w Requête brute (extrait) �� T�q`�Ma>�K��E� %��E 4B;I�p ��;�Oi��c�\|�Į��>��]�&̨̩�/�0�+�,�� /5� w �+3&$ 2=Gԣ��Of}5Is:O8��k_��yzV�i\| Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420706c657820726561647920706f72743d33323430300d0a", "emulator_response_len": 36, "bytes_in": 239, "payload_entropy": 5.918985576288081, "port_category": "registered", "org": "Sistemas Informaticos, S.A.", "service": "plex", "app_proto": "plex", "asn": 211680, "country": "PT", "dst_port": 32400, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.1, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "6f474d9a48f6b21a442bc10cb5329eee337821b9", "event_fingerprint": "777f8a95358de68b90dd7f58ad144d387ad4f65e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.67, "classification_confidence": 0.67, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "plex", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PT", "asn": 211680, "org": "Sistemas Informaticos, S.A.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "60606d74cc08d284bafe94f1c453afee", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "35fa0a83e466acbec1cfbb9016d550ab", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 32400, "service": "plex", "service_name": "plex", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\f\ufffdT\ufffdq`\ufffdMa>\ufffdK\ufffd\ufffd\ufffdE\ufffd\u000e %\ufffd\ufffdE\r4B;I\ufffdp \ufffd\ufffd;\ufffdOi\ufffd\ufffd\ufffd\ufffd\u0018\u001a\ufffdc\ufffd\|\ufffd\u012e\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\f\ufffdT\ufffdq`\ufffdMa>\ufffdK\ufffd\ufffd\ufffdE\ufffd\u000e %\ufffd\ufffdE\r4B;I\ufffdp \ufffd\ufffd;\ufffdOi\ufffd\ufffd\ufffd\ufffd\u0018\u001a\ufffdc\ufffd\|\ufffd\u012e\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 2=\u0001G\u0523\ufffd\ufffdOf}5Is:O8\ufffd\ufffdk_\ufffd\u0018\ufffd\ufffdyzV\u001d\ufffdi\|", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\f\ufffdT\ufffdq`\ufffdMa>\ufffdK\ufffd\ufffd\ufffdE\ufffd\u000e %\ufffd\ufffdE\r4B;I\ufffdp \ufffd\ufffd;\ufffdOi\ufffd\ufffd\ufffd\ufffd\u0018\u001a\ufffdc\ufffd\|\ufffd\u012e\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7aabc9cebdb084ac72a0d27ee716cd44d930e42b", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\f\ufffdT\ufffdq`\ufffdMa>\ufffdK\ufffd\ufffd\ufffdE\ufffd\u000e %\ufffd\ufffdE\r4B;I\ufffdp \ufffd\ufffd;\ufffdOi\ufffd\ufffd\ufffd\ufffd\u0018\u001a\ufffdc\ufffd\|\ufffd\u012e\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 32400, "service": "plex", "service_label_fr": "PLEX" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdT\ufffdq`\ufffdMa>\ufffdK\ufffd\ufffd\ufffdE\ufffd %\ufffd\ufffdE\r4B;I\ufffdp \ufffd\ufffd;\ufffdOi\ufffd\ufffd\ufffd\ufffd\ufffdc\ufffd\|\ufffd\u012e\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via PLEX:32400 \u00b7 (sonde \/ probe)", "target_port_label": "32400 \u00b7 PLEX", "emulator_service": "plex", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 67, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 18 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 35, "risk_label": "Faible", "service_name": "plex", "service_label_fr": "PLEX", "dst_port": 32400, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-plex", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\f\ufffdT\ufffdq`\ufffdMa>\ufffdK\ufffd\ufffd\ufffdE\ufffd\u000e %\ufffd\ufffdE\r4B;I\ufffdp \ufffd\ufffd;\ufffdOi\ufffd\ufffd\ufffd\ufffd\u0018\u001a\ufffdc\ufffd\|\ufffd\u012e\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 32400, "service": "plex", "service_label_fr": "PLEX" }, "attack_vector": "postgres probe \u00b7 via PLEX:32400 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdT\ufffdq`\ufffd*Ma>\ufffdK\ufffd\ufffd\ufffdE\ufffd %\ufffd\ufffdE\r4B;I\ufffdp \ufffd\ufffd;\ufffdOi\ufffd\ufffd\ufffd\ufffd\ufffdc\ufffd\|\ufffd\u012e\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "32400 \u00b7 PLEX", "emulator_service": "plex", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.156.129.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "plex", "service_banner": "honeypot-plex", "service_os": "linux", "dst_port": "32400" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "plex", "sip" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.156.129.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ] }
19/06/2026 06:59:49 UTC	TCP	32400 · PLEX	plex	Sonde Plex plex · via PLEX:32400 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur PLEX WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 32400 Chemin / cible — Service PLEX Pourquoi cette classification : Type « plex » (signaux protocolaires) · confiance 0% Confiance classification 18% Corrélation +18 Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420706c657820726561647920706f72743d33323430300d0a", "emulator_response_len": 36, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Sistemas Informaticos, S.A.", "service": "plex", "app_proto": "plex", "asn": 211680, "country": "PT", "dst_port": 32400, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.8, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "f0fe326e20cc42a9e53935c9a22684115fec7299", "event_fingerprint": "777f8a95358de68b90dd7f58ad144d387ad4f65e", "classification_reason": "Type \u00ab plex \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.18, "classification_confidence": 0.18, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "plex", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PT", "asn": 211680, "org": "Sistemas Informaticos, S.A.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "cf6dd0b6bcff0572500cdd0870089185" }, "target_context": { "dst_port": 32400, "service": "plex", "service_name": "plex", "risk_score": 0 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "734de1dc54430fdeec9f47b1c7f215eefc0d7824", "protocol_details": { "port": 32400, "service": "plex", "service_label_fr": "PLEX" }, "attack_vector": "plex \u00b7 via PLEX:32400 \u00b7 (sonde \/ probe)", "target_port_label": "32400 \u00b7 PLEX", "emulator_service": "plex", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab plex \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab plex \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 18, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0, "correlation_boost": 18 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 0, "risk_label": "Faible", "service_name": "plex", "service_label_fr": "PLEX", "dst_port": 32400, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-plex", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "port": 32400, "service": "plex", "service_label_fr": "PLEX" }, "attack_vector": "plex \u00b7 via PLEX:32400 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "32400 \u00b7 PLEX", "emulator_service": "plex", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": "Confiance 18 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.156.129.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "plex", "service_banner": "honeypot-plex", "service_os": "linux", "dst_port": "32400" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "plex", "sip" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.156.129.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor" }
19/06/2026 06:54:57 UTC	TCP	5060 · SIP	sip	Sonde SIP/VoIP sip voip probe · via SIP:5060 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur SIP WAF — Recommandation Surveiller Tags net_sip_voip_probe sip_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5060 Chemin / cible — Service SIP Pourquoi cette classification : Type « sip_voip_probe » (signaux protocolaires) · confiance 0% Confiance classification 10% Corrélation +10 Risque capteur Faible · 34 Confiance : Confiance 0 % — 2 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "5349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d", "emulator_response_len": 215, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Sistemas Informaticos, S.A.", "service": "sip", "app_proto": "sip", "asn": 211680, "country": "PT", "dst_port": 5060, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 34, "tag_count": 2, "anomaly_count": 0, "campaign_key": "7ede27279abdf995b4c23aeb42aaef771106fc4d", "event_fingerprint": "3fcb8baeea4f587fed31373e40a068a2b2c72324", "classification_reason": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.1, "classification_confidence": 0.1, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 34, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "sip", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PT", "asn": 211680, "org": "Sistemas Informaticos, S.A.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "12e58fcb9ae07c2755694e8888ea070c" }, "target_context": { "dst_port": 5060, "service": "sip", "service_name": "sip", "risk_score": 34 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d84b353c2e3026305f118e4eda26f551d550f6a6", "protocol_details": { "port": 5060, "service": "sip", "service_label_fr": "SIP" }, "attack_vector": "sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)", "target_port_label": "5060 \u00b7 SIP", "emulator_service": "sip", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 10, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 34, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 34, "risk_label": "Faible", "service_name": "sip", "service_label_fr": "SIP", "dst_port": 5060, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sip", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "port": 5060, "service": "sip", "service_label_fr": "SIP" }, "attack_vector": "sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "5060 \u00b7 SIP", "emulator_service": "sip", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.156.129.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sip", "service_banner": "honeypot-sip", "service_os": "linux", "dst_port": "5060" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.156.129.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sip_voip_probe", "sip_emulated" ] }
19/06/2026 06:54:49 UTC	TCP	5060 · SIP	sip	Sonde SIP/VoIP sip voip probe · via SIP:5060 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur SIP WAF — Recommandation Surveiller Tags net_sip_voip_probe sip_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5060 Chemin / cible — Service SIP Pourquoi cette classification : Type « sip_voip_probe » (signaux protocolaires) · confiance 0% Confiance classification 10% Corrélation +10 Risque capteur Faible · 34 Confiance : Confiance 0 % — 2 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "5349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d", "emulator_response_len": 215, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Sistemas Informaticos, S.A.", "service": "sip", "app_proto": "sip", "asn": 211680, "country": "PT", "dst_port": 5060, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 34, "tag_count": 2, "anomaly_count": 0, "campaign_key": "7ede27279abdf995b4c23aeb42aaef771106fc4d", "event_fingerprint": "3fcb8baeea4f587fed31373e40a068a2b2c72324", "classification_reason": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.1, "classification_confidence": 0.1, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 34, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "sip", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PT", "asn": 211680, "org": "Sistemas Informaticos, S.A.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "12e58fcb9ae07c2755694e8888ea070c" }, "target_context": { "dst_port": 5060, "service": "sip", "service_name": "sip", "risk_score": 34 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d84b353c2e3026305f118e4eda26f551d550f6a6", "protocol_details": { "port": 5060, "service": "sip", "service_label_fr": "SIP" }, "attack_vector": "sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)", "target_port_label": "5060 \u00b7 SIP", "emulator_service": "sip", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 10, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 34, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 34, "risk_label": "Faible", "service_name": "sip", "service_label_fr": "SIP", "dst_port": 5060, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sip", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "port": 5060, "service": "sip", "service_label_fr": "SIP" }, "attack_vector": "sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "5060 \u00b7 SIP", "emulator_service": "sip", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.156.129.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sip", "service_banner": "honeypot-sip", "service_os": "linux", "dst_port": "5060" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.156.129.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_sip_voip_probe", "sip_emulated" ] }
14/06/2026 11:25:58 UTC	TCP	8181 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8181 · (sonde / probe) · → /favicon.ico	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole GET /favicon.ico UA Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0… Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8181 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Sonde HTTP (tag nosqli-3) · confiance 50% Confiance classification 60% Corrélation +10 Risque capteur Moyen · 40 Confiance : Confiance 50 % — Motif catalogue confirmé · 1 tag(s) WAF Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.36 Règles WAF nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:8181 User-Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.63 Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:8181 User-Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.86 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c7e3312ad89b5c953c233d6bb536f12495aec80f", "http_host_hash": "ee4df8d877d42e60dadcf85bc1e968589c2d406f", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 187, "payload_entropy": 5.3173108841007855, "port_category": "registered", "org": "Sistemas Informaticos, S.A.", "service": "http", "app_proto": "http", "asn": 211680, "country": "PT", "dst_port": 8181, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "e64e5f65cec82e0178498aa94f45eae11eb3f8b7", "event_fingerprint": "93a06c93ab64e5d9b3064f93b9d28120476c41bb", "classification_reason": "Sonde HTTP (tag nosqli-3) \u00b7 confiance 50%", "confidence": 0.6, "classification_confidence": 0.6, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 40, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "PT", "asn": 211680, "org": "Sistemas Informaticos, S.A.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4dcb5466a1cf9e92d38fdee8553b0c1e", "payload_hash": "c78bafb293837422e282cb112a5d1a1c", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 8181, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8181\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.63", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8181\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8181\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.63", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8181\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8181\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.63", "classification_reason": "Sonde HTTP (tag nosqli-3) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f2d9737426f666eafd89127ef57a8d6ba0dbad50", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36", "port": 8181, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8181\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.63", "attack_vector": "Sonde HTTP \u00b7 via HTTP:8181 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "8181 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag nosqli-3) \u00b7 confiance 50%", "classification_reason_label_fr": "Sonde HTTP (tag nosqli-3) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 60, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8181, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.6312.86 Safari\/537.36", "port": 8181, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8181 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8181\r\nUser-Agent: Mozilla\/5.0 AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.63", "target_port_label": "8181 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +10 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.156.129.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8181" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.156.129.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950470:nosqli-3" ] }
28/05/2026 00:32:45 UTC	TCP	5555	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
26/05/2026 11:20:32 UTC	TCP	9944	ssh	Sonde SSH	Élevée	Élevé · 74
Étape — WAF — Recommandation — Tags ssh_banner Cible HTTP — TLS SNI — Capteur paris-1
26/05/2026 11:20:27 UTC	TCP	9944	—	Sonde port	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
26/05/2026 11:20:21 UTC	TCP	9944	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
25/05/2026 10:39:43 UTC	TCP	17	qotd	qotd	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
25/05/2026 06:44:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Moyen · 57
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
25/05/2026 06:44:04 UTC	TCP	8443	https	https probe	Élevée	Moyen · 48
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

45.156.129.78

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence