Renseignement sur les menaces

États-Unis

45.198.224.244

FAI Vpsvault.host Ltd Première vue 16/06/2026 04:26 UTC Dernière vue 17/06/2026 02:17 UTC Risque Élevé

Période analysée : 2026-05-18 → 2026-06-17

Activité suspecte

Campagne de scan — plusieurs IP du même /24 (45.198.224.0/24, ≥3 pairs)

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 76/100 Élevé

Première observation 16/06/2026 04:26 UTC

Dernière observation 17/06/2026 02:17 UTC

Événements (période) 58

MITRE ATT&CK principal TA0001 42 occurrences

Activité suspecte

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « remoteanything » (signaux protocolaires) · confiance 0%

Confiance 10 % — Score WAF 8 · Bonus corrélation +10

Comparaison ASN / FAI

ASN 215925 · 45.198.224.0/24 · AFRINIC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 58 événements sur la période pour cette IP.

45.198.224.92 Sonde SSH 17/06/2026 04:29 UTC
45.198.224.140 Sonde SSH 17/06/2026 04:29 UTC
45.205.1.241 Sonde port 8181/TCP 17/06/2026 04:28 UTC
45.198.224.114 Sonde SSH 17/06/2026 04:22 UTC
45.198.224.46 Sonde SSH 17/06/2026 04:19 UTC
45.205.1.246 Sonde port 8090/TCP 17/06/2026 04:17 UTC
45.205.1.243 Sonde port 8081/TCP 17/06/2026 04:01 UTC
45.198.224.5 docker tls probe 17/06/2026 03:58 UTC

Événements (filtres)

Première observation

16/06/2026 04:26 UTC

Dernière observation

17/06/2026 02:17 UTC

Dernière activité (filtres)

17/06/2026 02:17 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 43 HTTPS TCP 8 REMOTEANYTHING TCP 2 HTTP ALT 8081 TCP 1 HTTP ALT 8088 TCP 1 NODE HTTP TCP 1 GRAFANA TCP 1

HTTP

HTTPS

REMOTEANYTHING

HTTP ALT 8081

HTTP ALT 8088

NODE HTTP

Géolocalisation

Origine réseau déclarée

États-Unis unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Vpsvault.host Ltd 0 Port 4000 remoteanything

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Reconnaissance

Vecteur d'attaque

remoteanything · via REMOTEANYTHING:4000 · (sonde / probe)

Détails protocole

Aperçu payload

GET / HTTP/1.1 Host: 62.3.50.33:4000 Connection: close

Port / service

4000 · REMOTEANYTHING

Service émulé

REMOTEANYTHING

Raison confiance

Confiance 0 % — 1 signal(aux) capteur

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Scan coordonné

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Confiance

10% Corrélation +10

Famille de menace

unknown

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

58 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

58 événement(s) — page 1/2

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
17/06/2026 02:17:35 UTC	TCP	4000 · REMOTEANYTHING	remoteanything	remoteanything remoteanything · via REMOTEANYTHING:4000 · (sonde / probe)	Moyenne	Faible · 24
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur REMOTEANYTHING WAF — Recommandation Surveiller Tags http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4000 Chemin / cible — Service REMOTEANYTHING Payload GET / HTTP/1.1 Host: 62.3.50.33:4000 Connection: close Pourquoi cette classification : Type « remoteanything » (signaux protocolaires) · confiance 0% Confiance classification 10% Corrélation +10 Risque capteur Faible · 24 Confiance : Confiance 0 % — 1 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:4000 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742072656d6f7465616e797468696e6720726561647920706f72743d343030300d0a", "emulator_response_len": 45, "bytes_in": 60, "payload_entropy": 4.556564762130954, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "remoteanything", "app_proto": "remoteanything", "asn": 215925, "country": "US", "dst_port": 4000, "risk_waf": 8, "risk_classification": 16, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 32, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 0.5, "risk_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 32, "novelty": 15 }, "risk_score": 24, "tag_count": 1, "anomaly_count": 0, "campaign_key": "7daab5526d463d9e36ac8ca3a98ef295abd5089f", "event_fingerprint": "07cd5f73535b136b58bd81864049efd35e649f3d", "classification_reason": "Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.1, "classification_confidence": 0.1, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 32, "novelty": 15, "risk_score": 24, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "remoteanything", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3fea6dc73311d972d570b1f15b0da5aa", "path_pattern_hash": "910f1d0651f97b463356bb788b95ea33" }, "target_context": { "dst_port": 4000, "service": "remoteanything", "service_name": "remoteanything", "risk_score": 24 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4000\r\nConnection: close\r\n\r\n", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4000\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4000\r\nConnection: close", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4000\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4000\r\nConnection: close", "classification_reason": "Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "96ee32bd7f1429c62e6864b8deb7ae7f85fce228", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4000\r\nConnection: close", "port": 4000, "service": "remoteanything", "service_label_fr": "REMOTEANYTHING" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4000\r\nConnection: close", "attack_vector": "remoteanything \u00b7 via REMOTEANYTHING:4000 \u00b7 (sonde \/ probe)", "target_port_label": "4000 \u00b7 REMOTEANYTHING", "emulator_service": "remoteanything", "confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 10, "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 32, "novelty": 15, "risk_score": 24, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 24, "risk_label": "Faible", "service_name": "remoteanything", "service_label_fr": "REMOTEANYTHING", "dst_port": 4000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-remoteanything", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4000\r\nConnection: close", "port": 4000, "service": "remoteanything", "service_label_fr": "REMOTEANYTHING" }, "attack_vector": "remoteanything \u00b7 via REMOTEANYTHING:4000 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4000\r\nConnection: close", "target_port_label": "4000 \u00b7 REMOTEANYTHING", "emulator_service": "remoteanything", "confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "remoteanything", "service_banner": "honeypot-remoteanything", "service_os": "linux", "dst_port": "4000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe" ] }
17/06/2026 02:17:34 UTC	TCP	4000 · REMOTEANYTHING	remoteanything	remoteanything remoteanything · via REMOTEANYTHING:4000 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur REMOTEANYTHING WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4000 Chemin / cible — Service REMOTEANYTHING Pourquoi cette classification : Type « remoteanything » (signaux protocolaires) · confiance 0% Confiance classification 10% Corrélation +10 Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742072656d6f7465616e797468696e6720726561647920706f72743d343030300d0a", "emulator_response_len": 45, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "remoteanything", "app_proto": "remoteanything", "asn": 215925, "country": "US", "dst_port": 4000, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.2, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "f88a96a7a2195ddc5425c713492dfeb24a49282e", "event_fingerprint": "07cd5f73535b136b58bd81864049efd35e649f3d", "classification_reason": "Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.1, "classification_confidence": 0.1, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "remoteanything", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "910f1d0651f97b463356bb788b95ea33" }, "target_context": { "dst_port": 4000, "service": "remoteanything", "service_name": "remoteanything", "risk_score": 0 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2a87d09db003d6362a4d925c05dd4f0ca2576d90", "protocol_details": { "port": 4000, "service": "remoteanything", "service_label_fr": "REMOTEANYTHING" }, "attack_vector": "remoteanything \u00b7 via REMOTEANYTHING:4000 \u00b7 (sonde \/ probe)", "target_port_label": "4000 \u00b7 REMOTEANYTHING", "emulator_service": "remoteanything", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 10, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 0, "risk_label": "Faible", "service_name": "remoteanything", "service_label_fr": "REMOTEANYTHING", "dst_port": 4000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-remoteanything", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "port": 4000, "service": "remoteanything", "service_label_fr": "REMOTEANYTHING" }, "attack_vector": "remoteanything \u00b7 via REMOTEANYTHING:4000 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "4000 \u00b7 REMOTEANYTHING", "emulator_service": "remoteanything", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": "Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "remoteanything", "service_banner": "honeypot-remoteanything", "service_os": "linux", "dst_port": "4000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor" }
16/06/2026 23:20:52 UTC	TCP	8088 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8088 · (tentative d'exploit)	Élevée	Élevé · 76
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 55 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8088 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 76 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) Appl Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-Requ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "1c1f86ba252c0c8ebc250acab48718f12d6d1efd", "http_host_hash": "5af561107125d8ccc4aac442a3b8b5dee6769a85", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 931, "payload_entropy": 5.616549560778706, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8088, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.5, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 76, "tag_count": 13, "anomaly_count": 0, "campaign_key": "b99e469991b601cc8de0e5929a49ae8b7a6c9d5c", "event_fingerprint": "776e8baedccd03d8fb5e94ec580a074cc2f9d60f", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "72d43eb808798db218d063798749cc39", "payload_hash": "f11722ca6a8622606fc9464eaf682de6", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8088, "service": "http", "service_name": "http", "risk_score": 76 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Requ", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Requ", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "93a509bca13cbc86cfe0c6b4bc47c175677cf3ab", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl", "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit)", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 76\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 76, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8088, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8088" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 23:20:52 UTC	TCP	8088 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8088 · (tentative d'exploit) · → /_next	Élevée	Élevé · 76
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next UA Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWeb… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8088 Chemin / cible /_next Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 76 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/134.0.6998.99 Mobile/15E148 Safari/604.1 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone Requête brute (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/134.0.6998.99 Mobile/15E148 Safari/604.1 Accept-Encoding Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "affd667937319ba36aa098ac5e3b53f4e282c1fe", "http_host_hash": "5af561107125d8ccc4aac442a3b8b5dee6769a85", "http_target_hash": "afd9bdeafd8c657f6b493ada03c51e348516227b", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 971, "payload_entropy": 5.675224812166708, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8088, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.5, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 76, "tag_count": 12, "anomaly_count": 0, "campaign_key": "b9be4450eecffc4d605b73310b426f230ea57659", "event_fingerprint": "8c62f85e504446ca970e43ef1880c610b51105e1", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6990db627a3d5a6ae3f8a2c22924225b", "payload_hash": "d58478ee63122acce654113164c7cf3f", "path_pattern_hash": "bfd33612e3863357684bd23d10455a76" }, "target_context": { "dst_port": 8088, "service": "http", "service_name": "http", "risk_score": 76 }, "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone", "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\r\nAccept-Encoding", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone", "evidence": { "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\r\nAccept-Encoding", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f3fd29f7611b39799ebb1993032a6ef92f254eca", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone", "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 76\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 76, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8088, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8088" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 23:20:52 UTC	TCP	8088 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8088 · (tentative d'exploit) · → /api	Élevée	Élevé · 76
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api UA Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, l… Émulateur HTTP WAF 56 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8088 Chemin / cible /api Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 76 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.135 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 10; K Requête brute (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.135 Mobile Safari/537.36 Accept-Encoding: gzip, deflate Next-Action Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "8563f2ed0fd1b3832e8c528ca96b1f98a5b0004e", "http_host_hash": "5af561107125d8ccc4aac442a3b8b5dee6769a85", "http_target_hash": "ada91241341ae792ecf0a59cad28616a77bab856", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 943, "payload_entropy": 5.668399408022473, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8088, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.5, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 76, "tag_count": 14, "anomaly_count": 0, "campaign_key": "5a7ff7c847295bc7c8cb7b26fcdad8652f339051", "event_fingerprint": "15943422306ff76579bc72abd66553de406ebfa2", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "fcf5bfa409c42db4e4a5f32bcc91f966", "payload_hash": "6039f154a05dc1d547f657bd663e124b", "path_pattern_hash": "702acf7c08d3b03b321d97b4903ad221" }, "target_context": { "dst_port": 8088, "service": "http", "service_name": "http", "risk_score": 76 }, "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K", "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K", "evidence": { "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f3e4575fec45cecf6e1c21bab9b54ce44664481d", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K", "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 76\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 76, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8088, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8088" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 23:20:52 UTC	TCP	8088 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8088 · (tentative d'exploit) · → /_next/server	Élevée	Élevé · 76
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next/server UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 58 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next/server TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8088 Chemin / cible /_next/server Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 76 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next/server HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT Requête brute (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Accept-Encoding: gzip, de Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "a76e08b809549a8ef70acaf7074b5caa8a051858", "http_host_hash": "5af561107125d8ccc4aac442a3b8b5dee6769a85", "http_target_hash": "bef481449499f499a0b29ed75c9630076205b04f", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 960, "payload_entropy": 5.659620274584405, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8088, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.5, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 76, "tag_count": 13, "anomaly_count": 0, "campaign_key": "b11bbf08f0ba0617fefe9c9a3c6baf0c8db9a19b", "event_fingerprint": "aa09415c50c71a8a5d6380143e1dd26a223d483f", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "64a32e80cd1b4b7b1af4cc78f58848ee", "payload_hash": "0bab517125840c95c59698fefa461a8b", "path_pattern_hash": "4d9c4ca8a8065d3ce7073b6b23f61056" }, "target_context": { "dst_port": 8088, "service": "http", "service_name": "http", "risk_score": 76 }, "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT ", "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, de", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT", "evidence": { "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, de", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "25724f4eb8760090e41f94767c2555caa52704ac", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT", "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 76\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 76, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8088, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8088" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 23:20:52 UTC	TCP	8088 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8088 · (tentative d'exploit) · → /app	Élevée	Élevé · 76
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /app UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /app TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8088 Chemin / cible /app Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 76 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /app HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136. Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win Requête brute (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136. Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-Request-Id: poop1234 C Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "fac64969f9eca34262c56352be2d62dd2d22b1a0", "http_host_hash": "5af561107125d8ccc4aac442a3b8b5dee6769a85", "http_target_hash": "0c35eebf403cf91fe77a64921d76aa1ca6411d20", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 905, "payload_entropy": 5.630751405188573, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8088, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.5, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 76, "tag_count": 12, "anomaly_count": 0, "campaign_key": "b9be4450eecffc4d605b73310b426f230ea57659", "event_fingerprint": "a76ba649321c8ece6fd560e53841a342393796bc", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9f10b48170735feac18b44fa385fef37", "payload_hash": "31a06a787575eae31f779879fbac8bbe", "path_pattern_hash": "f53b52ad6d21cceb72dfa78fb67614fe" }, "target_context": { "dst_port": 8088, "service": "http", "service_name": "http", "risk_score": 76 }, "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r\nC", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "evidence": { "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r\nC", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5d8652173064d3a050e5f589ea6a4232cfd42c25", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 76\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 76, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8088, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8088" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 23:20:52 UTC	TCP	8088 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8088 · (tentative d'exploit) · → /api/route	Élevée	Élevé · 76
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api/route UA Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWeb… Émulateur HTTP WAF 62 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api/route TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8088 Chemin / cible /api/route Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 76 Confiance : Confiance 95 % — Motif catalogue confirmé · 10 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api/route HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/134.0.6998.99 Mobile/15E148 Safari/604.1 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iP Requête brute (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/134.0.6998.99 Mobile/15E148 Safari/604.1 Accept-Enco Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "affd667937319ba36aa098ac5e3b53f4e282c1fe", "http_host_hash": "5af561107125d8ccc4aac442a3b8b5dee6769a85", "http_target_hash": "1a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 981, "payload_entropy": 5.67341445092683, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8088, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.5, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 76, "tag_count": 16, "anomaly_count": 0, "campaign_key": "66b4ed6a0ded7aa54d815d6af0358922f1e903e7", "event_fingerprint": "831932703b6e4f316e985ecbe3bdb6ff75d01188", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6990db627a3d5a6ae3f8a2c22924225b", "payload_hash": "aa5e4a8baf7f5b1af7245d2fd7f33d30", "path_pattern_hash": "7c4fe35e07eebe8bea27a36c14378e32" }, "target_context": { "dst_port": 8088, "service": "http", "service_name": "http", "risk_score": 76 }, "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iP", "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\r\nAccept-Enco", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iP", "evidence": { "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\r\nAccept-Enco", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iP", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cb00db6f7c67f88bb7bd12fc0a9a909ef17103c6", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iP", "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 76\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 76, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8088, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iP", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 10 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8088" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_api_route_probe", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 23:20:51 UTC	TCP	8088 · HTTP ALT 8088	http-alt-8088	http-alt-8088 http-alt-8088 · via HTTP ALT 8088:8088 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTP-ALT-8088 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8088 Chemin / cible — Service HTTP ALT 8088 Pourquoi cette classification : Type « http-alt-8088 » (signaux protocolaires) · confiance 0% Confiance classification 10% Corrélation +10 Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http-alt-8088", "app_proto": "http-alt-8088", "asn": 215925, "country": "US", "dst_port": 8088, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "be18fd5396c091ebd409f5cfdf732d730b8067d4", "event_fingerprint": "e4439b80d6e4b371d582e64e67ce8ed1e436ce25", "classification_reason": "Type \u00ab http-alt-8088 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.1, "classification_confidence": 0.1, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http-alt-8088", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "f7ffc7733123826391689a4267b358d2" }, "target_context": { "dst_port": 8088, "service": "http-alt-8088", "service_name": "http-alt-8088", "risk_score": 0 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f4361951a29bb7613a383046fe98daf61717659f", "protocol_details": { "port": 8088, "service": "http-alt-8088", "service_label_fr": "HTTP ALT 8088" }, "attack_vector": "http-alt-8088 \u00b7 via HTTP ALT 8088:8088 \u00b7 (sonde \/ probe)", "target_port_label": "8088 \u00b7 HTTP ALT 8088", "emulator_service": "http-alt-8088", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab http-alt-8088 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab http-alt-8088 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 10, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 0, "risk_label": "Faible", "service_name": "http-alt-8088", "service_label_fr": "HTTP ALT 8088", "dst_port": 8088, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8088", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "port": 8088, "service": "http-alt-8088", "service_label_fr": "HTTP ALT 8088" }, "attack_vector": "http-alt-8088 \u00b7 via HTTP ALT 8088:8088 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8088 \u00b7 HTTP ALT 8088", "emulator_service": "http-alt-8088", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": "Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8088", "service_banner": "honeypot-http-alt-8088", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor" }
16/06/2026 23:20:51 UTC	TCP	8088 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8088 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8088 Chemin / cible / Service HTTP Pourquoi cette classification : Sonde HTTP (tag sap-sapcontrol-path) · confiance 74% Confiance classification 92% Corrélation +18 Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 20 · 1 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8088 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "5af561107125d8ccc4aac442a3b8b5dee6769a85", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 60, "payload_entropy": 4.577316637094897, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8088, "risk_waf": 20, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "4c107cce6f4a587053401a64b6b1b030c9318e51", "event_fingerprint": "1c74cf8230f9b4879e57da93bad95e8e25d3b4ad", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "fa2a0b2b1c98b17895dcddedb757fab1", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "service_name": "http", "target_context": { "dst_port": 8088, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nConnection: close", "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%" }, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 18 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bc33383ed8e0c2f1bcfb3fd821dc70944507008c", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:8088 \u00b7 (sonde \/ probe)", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "classification_reason_label_fr": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 92, "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 18 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8088, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8088 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nConnection: close", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 92 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +18 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8088" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_web_probe" ] }
16/06/2026 22:27:46 UTC	TCP	8081 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8081 · (tentative d'exploit) · → /_next	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8081 Chemin / cible /_next Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; W Requête brute (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "0703723cf11531696e7769eb22f8d9b281390533", "http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24", "http_target_hash": "afd9bdeafd8c657f6b493ada03c51e348516227b", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 940, "payload_entropy": 5.620553836531143, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8081, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.4, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "25d3500a65098389ca2d8b93c8549931b42caa48", "event_fingerprint": "7d4995e339bce9d45351ec2b6c401891d9d6f950", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c9d890423bdd8f672926a6e46bf361c3", "payload_hash": "b0758873e0d71f06b76dea5a47676848", "path_pattern_hash": "bfd33612e3863357684bd23d10455a76" }, "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "evidence": { "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "563e4e26e9a863cfabde0c3b30b05c8d7b2bf4b8", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8081, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8081" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 22:27:46 UTC	TCP	8081 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8081 · (tentative d'exploit) · → /api	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api UA Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 56 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8081 Chemin / cible /api Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api HTTP/1.1` User-Agent Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_64 145 Requête brute (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d336075c3988c6b7205cebd57d13f49ace6a0b3b", "http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24", "http_target_hash": "ada91241341ae792ecf0a59cad28616a77bab856", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 930, "payload_entropy": 5.643166886767965, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8081, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.4, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 14, "anomaly_count": 0, "campaign_key": "3e1047700df921ca5fa7796d53fff1af0d36f873", "event_fingerprint": "095d99f9383f5428ad0c682c3b7d635d59b356c2", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5ea6889a59d080298a42c0e1b4758211", "payload_hash": "2f8837338742089b2d54228a349e1b4f", "path_pattern_hash": "702acf7c08d3b03b321d97b4903ad221" }, "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "evidence": { "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "44a91d20bd0fe492453ddc36b15105f5d60ae890", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8081, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8081" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 22:27:46 UTC	TCP	8081 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8081 · (tentative d'exploit) · → /_next/server	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next/server UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 58 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next/server TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8081 Chemin / cible /_next/server Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next/server HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT Requête brute (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Ac Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "0703723cf11531696e7769eb22f8d9b281390533", "http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24", "http_target_hash": "bef481449499f499a0b29ed75c9630076205b04f", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 946, "payload_entropy": 5.6594046131274895, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8081, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.4, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 13, "anomaly_count": 0, "campaign_key": "bbbaa927603c8e1a206800afdcd2c5078814801e", "event_fingerprint": "b17e3bb78441026be83582a88b87db052e47c107", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c9d890423bdd8f672926a6e46bf361c3", "payload_hash": "35adf05b1bb6cf67e387e24397a7462a", "path_pattern_hash": "4d9c4ca8a8065d3ce7073b6b23f61056" }, "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT ", "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Ac", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT", "evidence": { "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Ac", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "15a87589fe459dcb6c6b1ec1c219048f472c9e4d", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT", "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8081, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8081" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 22:27:46 UTC	TCP	8081 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8081 · (tentative d'exploit) · → /app	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /app UA Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWeb… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /app TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8081 Chemin / cible /app Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /app HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/134.0.6998.99 Mobile/15E148 Safari/604.1 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone O Requête brute (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/134.0.6998.99 Mobile/15E148 Safari/604.1 Accept-Encoding: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "affd667937319ba36aa098ac5e3b53f4e282c1fe", "http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24", "http_target_hash": "0c35eebf403cf91fe77a64921d76aa1ca6411d20", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 975, "payload_entropy": 5.6652796455482095, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8081, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.4, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "25d3500a65098389ca2d8b93c8549931b42caa48", "event_fingerprint": "7edc76f815cbe0e9c24ae088c9bf500e285a17cb", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6990db627a3d5a6ae3f8a2c22924225b", "payload_hash": "6dc72ccc1a7f2a05bebbe435404abdb2", "path_pattern_hash": "f53b52ad6d21cceb72dfa78fb67614fe" }, "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone O", "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\r\nAccept-Encoding: ", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone O", "evidence": { "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\r\nAccept-Encoding: ", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone O", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d12f67c91642e20c43bed221205bf30f6cc3d6e4", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone O", "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8081, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone O", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8081" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 22:27:46 UTC	TCP	8081 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8081 · (tentative d'exploit) · → /api/route	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api/route UA Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/… Émulateur HTTP WAF 62 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api/route TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8081 Chemin / cible /api/route Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 10 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api/route HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Andr Requête brute (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Accept-Encoding: gz Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "22d9380abcdf97c82db21728e444020cf16735ea", "http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24", "http_target_hash": "1a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 966, "payload_entropy": 5.678830672935169, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8081, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.4, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 16, "anomaly_count": 0, "campaign_key": "0740b3e614b8bf2fe05dca85c370c515474f3b99", "event_fingerprint": "685ea63dea2f86feffea0cc11e67cd645f6c7148", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6c8160595869adea51d6742918f57fdf", "payload_hash": "ba33b251db37e903717b0b3a98806bd3", "path_pattern_hash": "7c4fe35e07eebe8bea27a36c14378e32" }, "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr", "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\r\nAccept-Encoding: gz", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr", "evidence": { "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\r\nAccept-Encoding: gz", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8496a3776ac01ac51a0195f142baed7bdbf0cd46", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr", "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8081, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 10 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8081" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_api_route_probe", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 22:27:45 UTC	TCP	8081 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8081 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8081 Chemin / cible / Service HTTP Pourquoi cette classification : Sonde HTTP (tag sap-sapcontrol-path) · confiance 74% Confiance classification 92% Corrélation +18 Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 20 · 1 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8081 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 60, "payload_entropy": 4.577316637094897, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8081, "risk_waf": 20, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "b449e7b9d7b63a4b5e0f229bd49fb797df3a4d46", "event_fingerprint": "6200042a8eedd96c47b109adc0963a36d177f604", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5607155b0334748016e5c0e15d70bf62", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "service_name": "http", "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nConnection: close", "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%" }, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 18 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c8c08f24cc67d56e7465f34a5eaafddbdcccad33", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:8081 \u00b7 (sonde \/ probe)", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "classification_reason_label_fr": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 92, "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 18 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8081, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8081 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nConnection: close", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 92 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +18 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8081" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_web_probe" ] }
16/06/2026 22:27:45 UTC	TCP	8081 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8081 · (tentative d'exploit)	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 55 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8081 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) Appl Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-Requ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "1c1f86ba252c0c8ebc250acab48718f12d6d1efd", "http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 924, "payload_entropy": 5.644728580502887, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8081, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.4, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 13, "anomaly_count": 0, "campaign_key": "5558eaaa3b52e1f0ccc0c7b1b24b17d03b0f50d6", "event_fingerprint": "1213fcdd21b85075d772fad75b2dd0cb423568f7", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "72d43eb808798db218d063798749cc39", "payload_hash": "f4fee51ec2eca369c335b2f51ea6105e", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Requ", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Requ", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e42412c41aa0eb898b86688303259addfbb8eee3", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl", "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit)", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8081, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8081" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 22:27:44 UTC	TCP	8081 · HTTP ALT 8081	http-alt-8081	http-alt-8081 http-alt-8081 · via HTTP ALT 8081:8081 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTP-ALT-8081 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8081 Chemin / cible — Service HTTP ALT 8081 Pourquoi cette classification : Type « http-alt-8081 » (signaux protocolaires) · confiance 0% Confiance classification 10% Corrélation +10 Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http-alt-8081", "app_proto": "http-alt-8081", "asn": 215925, "country": "US", "dst_port": 8081, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "d64dc0c930338d642f642e22846c64f959ad84a2", "event_fingerprint": "1023f61ccc055c445b71c912dbddfda91b08657e", "classification_reason": "Type \u00ab http-alt-8081 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.1, "classification_confidence": 0.1, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http-alt-8081", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "721fec86c34b7fdcb2df85c882e6db0e" }, "target_context": { "dst_port": 8081, "service": "http-alt-8081", "service_name": "http-alt-8081", "risk_score": 0 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5a23a81b3543b077eb32d0270ad7852c08db0e8d", "protocol_details": { "port": 8081, "service": "http-alt-8081", "service_label_fr": "HTTP ALT 8081" }, "attack_vector": "http-alt-8081 \u00b7 via HTTP ALT 8081:8081 \u00b7 (sonde \/ probe)", "target_port_label": "8081 \u00b7 HTTP ALT 8081", "emulator_service": "http-alt-8081", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab http-alt-8081 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab http-alt-8081 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 10, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 0, "risk_label": "Faible", "service_name": "http-alt-8081", "service_label_fr": "HTTP ALT 8081", "dst_port": 8081, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8081", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "port": 8081, "service": "http-alt-8081", "service_label_fr": "HTTP ALT 8081" }, "attack_vector": "http-alt-8081 \u00b7 via HTTP ALT 8081:8081 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8081 \u00b7 HTTP ALT 8081", "emulator_service": "http-alt-8081", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": "Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8081", "service_banner": "honeypot-http-alt-8081", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor" }
16/06/2026 19:51:23 UTC	TCP	8443 · HTTPS	https	Sonde HTTP smuggling http smuggling probe · via HTTPS:8443 · (tentative d'exploit)	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Payload POST /api HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; AF Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Moyen · 52 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL User-Agent — Règles WAF — Payload (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; AF Requête brute (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Accept-E Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 978, "payload_entropy": 5.703832937989422, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "https", "app_proto": "https", "asn": 215925, "country": "US", "dst_port": 8443, "risk_waf": 8, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e6b2cf8ce9f9336bf0fcf7e6fb346b1f13664c68", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a610c1223a9c1a13ebc3e81dedd08e32", "path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 52 }, "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r\nAccept-E", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF", "evidence": { "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r\nAccept-E", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6464798f5662a7a3772564a92dedf814c0ab8ab6", "protocol_details": { "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF", "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTPS \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 52, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "mozi_pattern", "net_web_probe" ] }
16/06/2026 19:51:23 UTC	TCP	8443 · HTTPS	https	Sonde HTTP smuggling http smuggling probe · via HTTPS:8443 · (tentative d'exploit)	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Payload POST /_next/server HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Moyen · 52 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL User-Agent — Règles WAF — Payload (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x Requête brute (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Act Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 945, "payload_entropy": 5.652486089679005, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "https", "app_proto": "https", "asn": 215925, "country": "US", "dst_port": 8443, "risk_waf": 8, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e6b2cf8ce9f9336bf0fcf7e6fb346b1f13664c68", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "51289a3b4f1daf30f7dbdc44747e2fcb", "path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 52 }, "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Act", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x", "evidence": { "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Act", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3ef08724a955317cee7c5f8cf5449aedd0607d29", "protocol_details": { "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x", "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTPS \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 52, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "mozi_pattern", "net_web_probe" ] }
16/06/2026 19:51:23 UTC	TCP	8443 · HTTPS	https	Sonde HTTP smuggling http smuggling probe · via HTTPS:8443 · (tentative d'exploit)	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Payload POST /app HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) A Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Moyen · 52 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL User-Agent — Règles WAF — Payload (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) A Requête brute (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-R Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 921, "payload_entropy": 5.653469543820433, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "https", "app_proto": "https", "asn": 215925, "country": "US", "dst_port": 8443, "risk_waf": 8, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e6b2cf8ce9f9336bf0fcf7e6fb346b1f13664c68", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "91a5ba31bb2384dda7d9982955d47591", "path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 52 }, "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-R", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "evidence": { "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-R", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b984b0375e74a05209aed502cd79a5e16d53a28f", "protocol_details": { "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTPS \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 52, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "mozi_pattern", "net_web_probe" ] }
16/06/2026 19:51:23 UTC	TCP	8443 · HTTPS	https	Sonde HTTP smuggling http smuggling probe · via HTTPS:8443 · (tentative d'exploit)	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Payload POST /api/route HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_ Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Moyen · 52 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL User-Agent — Règles WAF — Payload (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_ Requête brute (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 942, "payload_entropy": 5.6402564713438395, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "https", "app_proto": "https", "asn": 215925, "country": "US", "dst_port": 8443, "risk_waf": 8, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e6b2cf8ce9f9336bf0fcf7e6fb346b1f13664c68", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "707493888bd1752cb127b063b4a7aa0f", "path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 52 }, "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_", "evidence": { "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2df01b2dba1c6bfd7b26da149df0b5172e85237f", "protocol_details": { "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_", "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTPS \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 52, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "mozi_pattern", "net_web_probe" ] }
16/06/2026 19:51:22 UTC	TCP	8443 · HTTPS	https	Sonde HTTP Sonde HTTP · via HTTPS:8443 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 71% Confiance classification 81% Corrélation +10 Risque capteur Moyen · 40 Confiance : Confiance 71 % — Score WAF 8 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "https", "app_proto": "https", "asn": 215925, "country": "US", "dst_port": 8443, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0 }, "risk_score": 40, "tag_count": 2, "anomaly_count": 0, "campaign_key": "baa690d1c17ffc3e0bea7942e5e4e6fb74221eb7", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "service_name": "https", "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 40 }, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%", "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.81, "classification_confidence": 0.81, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3a290a31f54554d3db67fb9ec50e66b26c3cce82", "protocol_details": { "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "Sonde HTTP \u00b7 via HTTPS:8443 \u00b7 (sonde \/ probe)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 71 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 81, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 40, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "Sonde HTTP \u00b7 via HTTPS:8443 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 71 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 81 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe" ] }
16/06/2026 19:51:22 UTC	TCP	8443 · HTTPS	https	Sonde HTTP Sonde HTTP · via HTTPS:8443 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port http_get_probe net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Payload GET / HTTP/1.1 Host: 62.3.50.33:8443 Connection: close Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 74% Confiance classification 84% Corrélation +10 Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 8 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8443 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 60, "payload_entropy": 4.602479553833678, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "https", "app_proto": "https", "asn": 215925, "country": "US", "dst_port": 8443, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ee1718673413d9545e04a504276fd0deb0f77bc5", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9a7cf108f246e65363b5dcc8a3ec1bf9", "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "service_name": "https", "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nConnection: close\r\n\r\n", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nConnection: close", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%" }, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.84, "classification_confidence": 0.84, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9bbddd6a7fcf6f3e1efd20616cd305933caf708d", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nConnection: close", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTPS:8443 \u00b7 (sonde \/ probe)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 74 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 84, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 40, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nConnection: close", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "Sonde HTTP \u00b7 via HTTPS:8443 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nConnection: close", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 74 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 84 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "net_web_probe" ] }
16/06/2026 19:51:22 UTC	TCP	8443 · HTTPS	https	Sonde HTTP smuggling http smuggling probe · via HTTPS:8443 · (tentative d'exploit)	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Payload POST / HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 1 Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Moyen · 52 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL User-Agent — Règles WAF — Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 1 Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/134.0.6998.99 Mobile/15E148 Safari/604.1 Accept-Encoding: gzi Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 965, "payload_entropy": 5.685030095977528, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "https", "app_proto": "https", "asn": 215925, "country": "US", "dst_port": 8443, "risk_waf": 8, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e6b2cf8ce9f9336bf0fcf7e6fb346b1f13664c68", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b6983b76e3a90abc66376fea508d8413", "path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 52 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\r\nAccept-Encoding: gzi", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 1", "evidence": { "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\r\nAccept-Encoding: gzi", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 1", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "494e2858a090b0bce4b577882823bfb4e1bc331a", "protocol_details": { "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 1", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 1", "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTPS \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 52, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 1", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 1", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "mozi_pattern", "net_web_probe" ] }
16/06/2026 19:51:22 UTC	TCP	8443 · HTTPS	https	Sonde HTTP smuggling http smuggling probe · via HTTPS:8443 · (tentative d'exploit)	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Payload POST /_next HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 512 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; W Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Moyen · 52 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL User-Agent — Règles WAF — Payload (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 512 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; W Requête brute (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 512 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136. Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-Request-Id: poop1234 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 900, "payload_entropy": 5.612691068333408, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "https", "app_proto": "https", "asn": 215925, "country": "US", "dst_port": 8443, "risk_waf": 8, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e6b2cf8ce9f9336bf0fcf7e6fb346b1f13664c68", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6a81090387bc009e9923bf9d42e4dedd", "path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 52 }, "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "evidence": { "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0e51c13040c94b923d1d228a01df7955b1c20c48", "protocol_details": { "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTPS \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 52, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "mozi_pattern", "net_web_probe" ] }
16/06/2026 16:10:04 UTC	TCP	3002 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3002 · (tentative d'exploit) · → /app	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /app UA Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /app TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3002 Chemin / cible /app Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /app HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4. Requête brute (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Accept-Encoding: gzip, de Meta JSON brut { "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "22d9380abcdf97c82db21728e444020cf16735ea", "http_host_hash": "ee3abe830eee278c9a8f0ffd85f7b97f39c75219", "http_target_hash": "0c35eebf403cf91fe77a64921d76aa1ca6411d20", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 961, "payload_entropy": 5.694952824156515, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3002, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 75, "tag_count": 11, "anomaly_count": 0, "campaign_key": "66b7f4dbefc344c97bfab79f1b08d2ae0383b3c7", "event_fingerprint": "51474b3a1ae5c5f5a3e9b0e25a503136cbf24e36", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6c8160595869adea51d6742918f57fdf", "payload_hash": "6828e17e554f17794b877f9267620312", "path_pattern_hash": "f53b52ad6d21cceb72dfa78fb67614fe" }, "target_context": { "dst_port": 3002, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\r\nAccept-Encoding: gzip, de", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "evidence": { "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\r\nAccept-Encoding: gzip, de", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c8da61f766de09e446fb2887ea8ed8f801055eba", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3002, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:3002" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti" ] }
16/06/2026 16:10:04 UTC	TCP	3002 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3002 · (tentative d'exploit) · → /api/route	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api/route UA Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 62 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api/route TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3002 Chemin / cible /api/route Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 10 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api/route HTTP/1.1` User-Agent Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_ Requête brute (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action Meta JSON brut { "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "d336075c3988c6b7205cebd57d13f49ace6a0b3b", "http_host_hash": "ee3abe830eee278c9a8f0ffd85f7b97f39c75219", "http_target_hash": "1a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 942, "payload_entropy": 5.630741318166173, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3002, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 75, "tag_count": 15, "anomaly_count": 0, "campaign_key": "4482b02642187ce979aebbd7473c2a14123457a7", "event_fingerprint": "9a386d28756d9771a53879f69934660f9ba8b20b", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5ea6889a59d080298a42c0e1b4758211", "payload_hash": "67037ddc7b6fdab2af11e603202cb27d", "path_pattern_hash": "7c4fe35e07eebe8bea27a36c14378e32" }, "target_context": { "dst_port": 3002, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_", "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_", "evidence": { "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ee0973d5780752ab0ce05e9c6eaf3f823bd5f039", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_", "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3002, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 10 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:3002" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_api_route_probe", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti" ] }
16/06/2026 16:10:03 UTC	TCP	3002	—	Sonde port Sonde port · port 3002 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3002 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 60% Corrélation +10 Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": null, "app_proto": null, "asn": 215925, "country": "US", "dst_port": 3002, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "864a612e9da71754d8a8f5b0b8559f02761267f0", "event_fingerprint": "37265dffe08d24f42cf4795b1dd9c9776472f1eb", "classification_confidence": 0.6, "confidence": 0.6, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 10 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 3002, "risk_score": 44 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "798f73845b2368b4e004d3647dcd7c4c3e2d0f76", "protocol_details": { "port": 3002 }, "attack_vector": "Sonde port \u00b7 port 3002 \u00b7 (sonde \/ probe)", "target_port_label": "3002", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 60, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 3002, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "port": 3002 }, "attack_vector": "Sonde port \u00b7 port 3002 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "3002", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "3002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "behavior_alert_count": 1, "behavior_priority": 72 }
16/06/2026 16:10:03 UTC	TCP	3002 · HTTP	http	http http · via HTTP:3002 · (sonde / probe)	Faible	Faible · 35
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3002 Chemin / cible / Service HTTP Pourquoi cette classification : Tags WAF: sap-sapcontrol-path · confiance 61% Confiance classification 79% Corrélation +18 Risque capteur Faible · 35 Confiance : Confiance 61 % — Score WAF 20 · 1 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3002 Connection: close Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "ee3abe830eee278c9a8f0ffd85f7b97f39c75219", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 60, "payload_entropy": 4.5232314287976205, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3002, "risk_waf": 20, "risk_classification": 8, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 20, "classification": 8, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 35, "tag_count": 2, "anomaly_count": 0, "campaign_key": "cd29e424d0e298012f91f1538147043ed7dc941d", "event_fingerprint": "1b45f184489a4badc621137cca8ff83506226041", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "17a9ecb20ce1daa2d85860631b083508", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "service_name": "http", "target_context": { "dst_port": 3002, "service": "http", "service_name": "http", "risk_score": 35 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nConnection: close", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%" }, "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%", "confidence_breakdown": { "waf": 20, "classification": 8, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 35, "correlation_boost": 18 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "confidence": 0.79, "classification_confidence": 0.79, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1b432e35063d9399f59f11626b4f782f37144458", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nConnection: close", "attack_vector": "http \u00b7 via HTTP:3002 \u00b7 (sonde \/ probe)", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 61 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%", "classification_reason_label_fr": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 79, "confidence_breakdown": { "waf": 20, "classification": 8, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 35, "correlation_boost": 18 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 35, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3002, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http \u00b7 via HTTP:3002 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nConnection: close", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 61 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 79 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +18 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:3002" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua" ] }
16/06/2026 16:10:03 UTC	TCP	3002 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3002 · (tentative d'exploit)	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 55 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3002 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541. Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-Ne Meta JSON brut { "http_header_count": 9, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d336075c3988c6b7205cebd57d13f49ace6a0b3b", "http_host_hash": "ee3abe830eee278c9a8f0ffd85f7b97f39c75219", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 927, "payload_entropy": 5.673600599609936, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3002, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "4b936daaf05771106c4e9e218aef4ca574be3af3", "event_fingerprint": "bf03ca9fb1a0f9dec6126df8ed726e5611ba378c", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5ea6889a59d080298a42c0e1b4758211", "payload_hash": "53cb0c8258d3b4de1b762c1455ad02f0", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3002, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Ne", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Ne", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cd4ca81f6b34593ec3d50ababf62b768fd308b9a", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.", "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit)", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3002, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:3002" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti" ] }
16/06/2026 16:10:03 UTC	TCP	3002 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3002 · (tentative d'exploit) · → /_next	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next UA Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) Appl… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3002 Chemin / cible /_next Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; Requête brute (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Accept Meta JSON brut { "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "1cafc1ec7983977ff1b9c77c60e09ef5fe869a95", "http_host_hash": "ee3abe830eee278c9a8f0ffd85f7b97f39c75219", "http_target_hash": "afd9bdeafd8c657f6b493ada03c51e348516227b", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 979, "payload_entropy": 5.672583842483796, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3002, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 75, "tag_count": 11, "anomaly_count": 0, "campaign_key": "66b7f4dbefc344c97bfab79f1b08d2ae0383b3c7", "event_fingerprint": "e79001ee3a119372dc829d7a136765b7f5248fbb", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c772734c6eb2978096c283068906aec3", "payload_hash": "b7134420f3980447c81724754cc580f7", "path_pattern_hash": "bfd33612e3863357684bd23d10455a76" }, "target_context": { "dst_port": 3002, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ", "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r\nAccept", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "evidence": { "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r\nAccept", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d201ce72ca19f59ce30a0bb2c799de858dbffec5", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3002, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:3002" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti" ] }
16/06/2026 16:10:03 UTC	TCP	3002 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3002 · (tentative d'exploit) · → /api	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 56 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3002 Chemin / cible /api Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac Requête brute (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Actio Meta JSON brut { "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "8447a2dfcfbbdcc75d5b5272da958411ec73dd1a", "http_host_hash": "ee3abe830eee278c9a8f0ffd85f7b97f39c75219", "http_target_hash": "ada91241341ae792ecf0a59cad28616a77bab856", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 943, "payload_entropy": 5.64950493041748, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3002, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 75, "tag_count": 13, "anomaly_count": 0, "campaign_key": "894f00c4dc1dcb80118004b2288c313de525170a", "event_fingerprint": "1de13953e8c14993362e3f8556080a54ec6fd4e4", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "93af66442f9c9958e5fcc0142d9e74de", "payload_hash": "e40374a7f73faeabc51c4d775f9ac25d", "path_pattern_hash": "702acf7c08d3b03b321d97b4903ad221" }, "target_context": { "dst_port": 3002, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac", "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Actio", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac", "evidence": { "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Actio", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1dc4a8248abd4f73f65d882269ee1719e45f32ee", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac", "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3002, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:3002" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti" ] }
16/06/2026 16:10:03 UTC	TCP	3002 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3002 · (tentative d'exploit) · → /_next/server	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next/server UA Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWeb… Émulateur HTTP WAF 58 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next/server TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3002 Chemin / cible /_next/server Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next/server HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/134.0.6998.99 Mobile/15E148 Safari/604.1 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU Requête brute (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/134.0.6998.99 Mobile/15E148 Safari/604.1 Accept-E Meta JSON brut { "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "affd667937319ba36aa098ac5e3b53f4e282c1fe", "http_host_hash": "ee3abe830eee278c9a8f0ffd85f7b97f39c75219", "http_target_hash": "bef481449499f499a0b29ed75c9630076205b04f", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 978, "payload_entropy": 5.683625200268866, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3002, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "693618f0f750e0ce1ca6fc1a5db499e22c6b7ede", "event_fingerprint": "f68bcd64261e96dfd92de2d10a9459948774ed7b", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6990db627a3d5a6ae3f8a2c22924225b", "payload_hash": "84d2d0af619b4829508a157af062ec8d", "path_pattern_hash": "4d9c4ca8a8065d3ce7073b6b23f61056" }, "target_context": { "dst_port": 3002, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU", "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\r\nAccept-E", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU", "evidence": { "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\r\nAccept-E", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b2a94b9bf40b7e863a93dde13f3e0d55b803be6d", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU", "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3002, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:3002" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti" ] }
16/06/2026 13:03:23 UTC	TCP	3001 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3001 · (tentative d'exploit) · → /api/route	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api/route UA Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) Appl… Émulateur HTTP WAF 62 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api/route TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3001 Chemin / cible /api/route Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 10 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api/route HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Linux; Android Requête brute (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Ac Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "1cafc1ec7983977ff1b9c77c60e09ef5fe869a95", "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "1a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 977, "payload_entropy": 5.641083603876925, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 16, "anomaly_count": 0, "campaign_key": "17f8082b7177a6962da54a61b69b8c55587a2484", "event_fingerprint": "44273dd9b4c851d7b9a674b35acd2e74b843b306", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c772734c6eb2978096c283068906aec3", "payload_hash": "811587fe2159ae34408e162f0301cd93", "path_pattern_hash": "7c4fe35e07eebe8bea27a36c14378e32" }, "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r\nAc", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "evidence": { "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r\nAc", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "81b6e1e06d5d92dd060f61bd4180cf18d9a489cd", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 10 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_api_route_probe", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 13:03:22 UTC	TCP	3001 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3001 · (tentative d'exploit)	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, l… Émulateur HTTP WAF 55 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3001 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.135 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 10; K) A Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.135 Mobile Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "8563f2ed0fd1b3832e8c528ca96b1f98a5b0004e", "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 946, "payload_entropy": 5.645635982494514, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 13, "anomaly_count": 0, "campaign_key": "5286d7149cff2380a616c8211b39b63366c8dd6f", "event_fingerprint": "16e2c48fbcd6b17a02278bce3dc927a637697700", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "fcf5bfa409c42db4e4a5f32bcc91f966", "payload_hash": "4953ee3a7b58093417a97f95a51e4779", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4a0edb8f56f89ba470cd63c71bda0e529e90bce6", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit)", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 13:03:22 UTC	TCP	3001 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3001 · (tentative d'exploit) · → /_next	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3001 Chemin / cible /_next Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) Requête brute (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "1c1f86ba252c0c8ebc250acab48718f12d6d1efd", "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "afd9bdeafd8c657f6b493ada03c51e348516227b", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 930, "payload_entropy": 5.637095497237025, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "355d7572ad0a2a31a82f6a17f7d1b0376cbe086a", "event_fingerprint": "bd2e4031bf04bf18dee63c7bcfc15bb898971b77", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "72d43eb808798db218d063798749cc39", "payload_hash": "dda561c86ab5774044686fef8392941c", "path_pattern_hash": "bfd33612e3863357684bd23d10455a76" }, "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)", "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)", "evidence": { "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "44e2a43099d34945c7191ad929cd1637fe2ed8f0", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)", "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 13:03:22 UTC	TCP	3001 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3001 · (tentative d'exploit) · → /api	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100… Émulateur HTTP WAF 56 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3001 Chemin / cible /api Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136. Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win Requête brute (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136. Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-Request-Id: poop1234 C Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "fac64969f9eca34262c56352be2d62dd2d22b1a0", "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "ada91241341ae792ecf0a59cad28616a77bab856", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 906, "payload_entropy": 5.599525220763314, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 14, "anomaly_count": 0, "campaign_key": "5f81689c0d4c52be206bd91cfd395583910ca4a3", "event_fingerprint": "82784f43a5e9f3ee94ecdb86dca53a33b02b4a21", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9f10b48170735feac18b44fa385fef37", "payload_hash": "f0b8a92631b02c3bb8c6372f9524f87a", "path_pattern_hash": "702acf7c08d3b03b321d97b4903ad221" }, "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r\nC", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "evidence": { "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r\nC", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "75fb8c0b71087d3a4741acb4bdfe7b8063c75ba7", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 13:03:22 UTC	TCP	3001 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3001 · (tentative d'exploit) · → /_next/server	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next/server UA Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) Appl… Émulateur HTTP WAF 58 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next/server TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3001 Chemin / cible /_next/server Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next/server HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Linux; Andr Requête brute (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "1cafc1ec7983977ff1b9c77c60e09ef5fe869a95", "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "bef481449499f499a0b29ed75c9630076205b04f", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 980, "payload_entropy": 5.676213569280611, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 13, "anomaly_count": 0, "campaign_key": "6f5948cef2533ee6717481d676f7cea8a7121fae", "event_fingerprint": "25e704f0aca0877f96ba11a8b72866ac12712632", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c772734c6eb2978096c283068906aec3", "payload_hash": "7728c60ffe229ec70d198662c39b459a", "path_pattern_hash": "4d9c4ca8a8065d3ce7073b6b23f61056" }, "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "evidence": { "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "601cfc62cdc00a88cceeba610e02133509a92495", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 13:03:22 UTC	TCP	3001 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3001 · (tentative d'exploit) · → /app	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /app UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /app TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3001 Chemin / cible /app Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /app HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) A Requête brute (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-R Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "1c1f86ba252c0c8ebc250acab48718f12d6d1efd", "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "0c35eebf403cf91fe77a64921d76aa1ca6411d20", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 928, "payload_entropy": 5.633244314670457, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "355d7572ad0a2a31a82f6a17f7d1b0376cbe086a", "event_fingerprint": "ba76cda5a5de39507583c01573d44f59579b7605", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "72d43eb808798db218d063798749cc39", "payload_hash": "317f87ea02f0c4d889f501ac8896505b", "path_pattern_hash": "f53b52ad6d21cceb72dfa78fb67614fe" }, "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-R", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "evidence": { "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-R", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fc4eb1153b3173439b22bf301e3db24f4c2ea3f1", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 13:03:21 UTC	TCP	3001 · GRAFANA	grafana	grafana probe grafana probe · via GRAFANA:3001 · (sonde / probe)	Élevée	Faible · 24
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur GRAFANA WAF — Recommandation Surveiller Tags grafana_emulated net_grafana_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3001 Chemin / cible — Service GRAFANA Pourquoi cette classification : Type « grafana_probe » (signaux protocolaires) · confiance 0% Confiance classification 10% Corrélation +10 Risque capteur Faible · 24 Confiance : Confiance 0 % — 2 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "grafana", "app_proto": "grafana", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 24, "tag_count": 2, "anomaly_count": 0, "campaign_key": "fa5e9f89adb2c47cafc508db34cacd873d1de716", "event_fingerprint": "0f885f7557e23a2165fec6e25217796b52e0b682", "classification_reason": "Type \u00ab grafana_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.1, "classification_confidence": 0.1, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 24, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "grafana", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6fe594699bf22753f400c105c5e66cd2" }, "target_context": { "dst_port": 3001, "service": "grafana", "service_name": "grafana", "risk_score": 24 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a45c6598dfbd7f36d43b9df396afaa630d6ff129", "protocol_details": { "port": 3001, "service": "grafana", "service_label_fr": "GRAFANA" }, "attack_vector": "grafana probe \u00b7 via GRAFANA:3001 \u00b7 (sonde \/ probe)", "target_port_label": "3001 \u00b7 GRAFANA", "emulator_service": "grafana", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab grafana_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab grafana_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 10, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 24, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 24, "risk_label": "Faible", "service_name": "grafana", "service_label_fr": "GRAFANA", "dst_port": 3001, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-grafana", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "port": 3001, "service": "grafana", "service_label_fr": "GRAFANA" }, "attack_vector": "grafana probe \u00b7 via GRAFANA:3001 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "3001 \u00b7 GRAFANA", "emulator_service": "grafana", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "grafana", "service_banner": "honeypot-grafana", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "grafana_emulated", "net_grafana_probe" ] }
16/06/2026 13:03:21 UTC	TCP	3001 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:3001 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3001 Chemin / cible / Service HTTP Pourquoi cette classification : Sonde HTTP (tag sap-sapcontrol-path) · confiance 74% Confiance classification 92% Corrélation +18 Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 20 · 1 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3001 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 60, "payload_entropy": 4.510649970428229, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 20, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "a03f8e495fb2c8a4b497319935cd9db363466aea", "event_fingerprint": "da23c40320a3e9c3f4c59c38b781fb247e83e390", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8cdda30c43b2dd7c07f4801c1b61cc70", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "service_name": "http", "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close", "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%" }, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 18 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e015661753fc64a5a3205772e3dabde2526361d", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:3001 \u00b7 (sonde \/ probe)", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "classification_reason_label_fr": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 92, "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 18 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:3001 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 92 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +18 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_web_probe" ] }
16/06/2026 07:31:13 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /_next/server	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST /_next/server UA Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) Appl… Émulateur HTTP WAF 58 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next/server TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /_next/server Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next/server HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; Andr Requête brute (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "1cafc1ec7983977ff1b9c77c60e09ef5fe869a95", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "bef481449499f499a0b29ed75c9630076205b04f", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 987, "payload_entropy": 5.690695027549453, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 13, "anomaly_count": 0, "campaign_key": "e2df49b40bff1bf1c835e3051e5e684779804c0d", "event_fingerprint": "9ba584fdc39f150e7c51f1e0eda84d67437d8d65", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c772734c6eb2978096c283068906aec3", "payload_hash": "45218565b5d869d627a7349a736d6b35", "path_pattern_hash": "4d9c4ca8a8065d3ce7073b6b23f61056" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "evidence": { "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d62c49acda47ab3ac9610bdbb775604152aceb8b", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 07:31:13 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /app	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST /app UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /app TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /app Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /app HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win Requête brute (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Accept-Encoding: gzip, deflate Ne Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "a76e08b809549a8ef70acaf7074b5caa8a051858", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "0c35eebf403cf91fe77a64921d76aa1ca6411d20", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 951, "payload_entropy": 5.652409630981394, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 12, "anomaly_count": 0, "campaign_key": "8a7a730e3bd4ed5a37303ee15b632ec4892de342", "event_fingerprint": "1fc6a70736a43e88c6e8fca79595036b64f26a25", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "64a32e80cd1b4b7b1af4cc78f58848ee", "payload_hash": "87ed84b01bcaca157f97e434bcaa1665", "path_pattern_hash": "f53b52ad6d21cceb72dfa78fb67614fe" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\nNe", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "evidence": { "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\nNe", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7619563e25a6b63090e359146b12db88542734fa", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 07:31:13 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /api/route	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST /api/route UA Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007;… Émulateur HTTP WAF 62 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api/route TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /api/route Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 10 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api/route HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/127.0.6533.103 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Linux; Android Requête brute (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/127.0.6533.103 Mobile Safari/ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "1978af5307537775fab4b66b0f1439319be37ce1", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "1a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 987, "payload_entropy": 5.664523870539842, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 16, "anomaly_count": 0, "campaign_key": "1ad596657217a260bbfde7bd7dbf8675ae0c20d6", "event_fingerprint": "46fad7a80ac53c3981cf28756f763ab2003e70d5", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7967be4fa492cfad4b86b41e3ae090e9", "payload_hash": "558741a1d48dc05d8b06ee4182d47a07", "path_pattern_hash": "7c4fe35e07eebe8bea27a36c14378e32" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "evidence": { "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6541a3c734c567de9caba795c4c6b42bae5b1e98", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 10 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_api_route_probe", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 07:31:12 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /_next	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST /_next UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /_next Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 507 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; W Requête brute (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 507 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Accept-Encoding: gzip, deflate Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "a76e08b809549a8ef70acaf7074b5caa8a051858", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "afd9bdeafd8c657f6b493ada03c51e348516227b", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 939, "payload_entropy": 5.657146249718423, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 12, "anomaly_count": 0, "campaign_key": "8a7a730e3bd4ed5a37303ee15b632ec4892de342", "event_fingerprint": "997360954c933942c23581cb49e3850fdfacc7fc", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "64a32e80cd1b4b7b1af4cc78f58848ee", "payload_hash": "41b8d90afa301ae08a109d54ea957298", "path_pattern_hash": "bfd33612e3863357684bd23d10455a76" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "evidence": { "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f3e0660f3aa9654e2fcfc94b4baeaf05ffec7d3b", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 07:31:12 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /api	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST /api UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100… Émulateur HTTP WAF 56 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /api Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136. Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win Requête brute (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136. Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-Request-Id: poop1234 C Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "fac64969f9eca34262c56352be2d62dd2d22b1a0", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "ada91241341ae792ecf0a59cad28616a77bab856", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 905, "payload_entropy": 5.605397513701913, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 14, "anomaly_count": 0, "campaign_key": "21e9fae942f52cc8b549481060b39762751f902f", "event_fingerprint": "de9086070f98b0daf5d3dfd24e5a3bbeea980a1d", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9f10b48170735feac18b44fa385fef37", "payload_hash": "d45a7a42a7af0daca280ad1560d265fb", "path_pattern_hash": "702acf7c08d3b03b321d97b4903ad221" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r\nC", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "evidence": { "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r\nC", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "89465f6de370e56e22d8a331197edddfa52ffe47", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 07:31:11 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit)	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 55 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Accept-Encoding: gzip, deflate Next- Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "a76e08b809549a8ef70acaf7074b5caa8a051858", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 949, "payload_entropy": 5.672032491151558, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 13, "anomaly_count": 0, "campaign_key": "dd0c863e8e5b3de4c865bd32a64a191cc8f0cbbb", "event_fingerprint": "c1a9c1f6f187ad29e77be46b13b8ac844c709953", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "64a32e80cd1b4b7b1af4cc78f58848ee", "payload_hash": "a35d83f746468780e009c9bba877cbf6", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\nNext-", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\nNext-", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f96bc006a154697a39dc081859ab5ee9ba58e535", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 07:31:10 UTC	TCP	8080 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8080 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTP WAF — Recommandation Surveiller Tags http_alt_8080 http_alt_port net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8080 Chemin / cible — Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 74% Confiance classification 84% Corrélation +10 Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 8 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "986800c5ad65e75d541a277e48953dacf3f318da", "event_fingerprint": "5afc6680f618e490dc22cb875ac6d45b5c7d65ea", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "service_name": "http", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 40 }, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.84, "classification_confidence": 0.84, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "945d6c54aac35f31bab6fba8d81332256826a36c", "protocol_details": { "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 84, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 84 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_8080", "http_alt_port", "net_web_probe" ] }
16/06/2026 07:31:10 UTC	TCP	8080 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8080 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible / Service HTTP Pourquoi cette classification : Sonde HTTP (tag sap-sapcontrol-path) · confiance 74% Confiance classification 84% Corrélation +10 Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 20 · 1 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8080 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 60, "payload_entropy": 4.577316637094897, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 20, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "37198db21b7202e636438aa5da36611eb6d754de", "event_fingerprint": "e8d7e440ce64622852a586f753bfe5d0110d3e76", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "15a4a5d6143f1183d398eba12061634b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "service_name": "http", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close", "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%" }, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.84, "classification_confidence": 0.84, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5b4204193a4c25716fc1670ad0cebd9890311a42", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "classification_reason_label_fr": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 84, "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 84 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +10 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_web_probe" ] }

45.198.224.244

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence