{"ip":"45.198.224.244","exported_at":"2026-06-20T09:22:58+00:00","period_days":1,"metrics":{"events7d":214,"distinct_ports":8,"distinct_classifications":8,"max_severity":10,"last_sensor_id":"paris-1","max_waf_score":62,"max_risk_score":76,"attack_stage":"exploit_attempt","attack_chain_stage":"exploitation","threat_family":["web_injection"],"recommended_action":"investigate","confidence":1,"risk_breakdown":{"waf":100,"classification":85,"behavior":0,"geo":0,"protocol":43,"novelty":25},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":"TA0001","top_mitre_technique":"TA0001","top_mitre_count":156,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)","campaign_hint_fr":null,"confidence_breakdown":{"waf":100,"classification":85,"behavior":0,"geo":0,"protocol":43,"novelty":25,"risk_score":75,"correlation_boost":8},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["multi_protocol_correlation"],"correlation_flags_labels_fr":["Multi-protocole corr\u00e9l\u00e9 (5 min)"],"confidence_pct":100,"confidence_hint_fr":"Corr\u00e9lation +8","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0842"],"tags_summary":["pat-0842"],"attack_vector":"http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/route","protocol_details":{"http_method":"POST","http_path":"\/api\/route","request_line":"POST \/api\/route HTTP\/1.1","http_user_agent":"Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","port":3001,"service":"http","service_label_fr":"HTTP"},"protocol_summary_fr":"POST \/api\/route \u00b7 UA Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleW\u2026 \u00b7 HTTP:3001","evidence_snippet":"POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_","target_port_label":"3001 \u00b7 HTTP","emulator_service":"http","confidence_reason":"Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF","classification_reason":"Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%","classification_reason_label_fr":"Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 10 tag(s) WAF","payload_preview":"POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_"},"events":[{"id":9728359,"ip":"45.198.224.244","ts":"2026-06-20 07:57:58.000000","proto":"tcp","src_port":36272,"dst_port":3001,"service":"http","classification":"http_smuggling_probe","waf_score":56,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d\u0022, \u0022emulator_response_len\u0022: 107, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00221978af5307537775fab4b66b0f1439319be37ce1\u0022, \u0022http_host_hash\u0022: \u002268964bd149320edbceb0d6a222e6bc3e0bdb74e3\u0022, \u0022http_target_hash\u0022: \u0022ada91241341ae792ecf0a59cad28616a77bab856\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 988, \u0022payload_entropy\u0022: 5.682856703888568, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3001, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 7.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 75, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225f81689c0d4c52be206bd91cfd395583910ca4a3\u0022, \u0022event_fingerprint\u0022: \u002282784f43a5e9f3ee94ecdb86dca53a33b02b4a21\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00227967be4fa492cfad4b86b41e3ae090e9\u0022, \u0022payload_hash\u0022: \u00225e4779a32a4838d18fb625e7a560a90d\u0022, \u0022path_pattern_hash\u0022: \u0022702acf7c08d3b03b321d97b4903ad221\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 75}, \u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; S\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; S\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; S\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226078eb405f22e5a15d781a1af78fc735780880c0\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\u0022, \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026\u0022, \u0022port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; S\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\u0022, \u0022target_port_label\u0022: \u00223001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 75, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\u0022, \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026\u0022, \u0022port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; S\u0022, \u0022target_port_label\u0022: \u00223001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022grafana\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3001","http_user_agent":"Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":988},{"id":9728360,"ip":"45.198.224.244","ts":"2026-06-20 07:57:58.000000","proto":"tcp","src_port":36276,"dst_port":3001,"service":"http","classification":"http_smuggling_probe","waf_score":58,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/_next\/server","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d\u0022, \u0022emulator_response_len\u0022: 107, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00221978af5307537775fab4b66b0f1439319be37ce1\u0022, \u0022http_host_hash\u0022: \u002268964bd149320edbceb0d6a222e6bc3e0bdb74e3\u0022, \u0022http_target_hash\u0022: \u0022bef481449499f499a0b29ed75c9630076205b04f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 996, \u0022payload_entropy\u0022: 5.669060504120757, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3001, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 7.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 75, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226f5948cef2533ee6717481d676f7cea8a7121fae\u0022, \u0022event_fingerprint\u0022: \u002225e704f0aca0877f96ba11a8b72866ac12712632\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00227967be4fa492cfad4b86b41e3ae090e9\u0022, \u0022payload_hash\u0022: \u0022810589009b5e6c5969a75b252b62b6f1\u0022, \u0022path_pattern_hash\u0022: \u00224d9c4ca8a8065d3ce7073b6b23f61056\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 75}, \u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Andr\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safa\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Andr\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safa\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Andr\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d98acfea62cac57f794d3f646c7ebaef3593487c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026\u0022, \u0022port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Andr\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022target_port_label\u0022: \u00223001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 75, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026\u0022, \u0022port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Andr\u0022, \u0022target_port_label\u0022: \u00223001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022grafana\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3001","http_user_agent":"Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":996},{"id":9728361,"ip":"45.198.224.244","ts":"2026-06-20 07:57:58.000000","proto":"tcp","src_port":36286,"dst_port":3001,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/app","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d\u0022, \u0022emulator_response_len\u0022: 107, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d336075c3988c6b7205cebd57d13f49ace6a0b3b\u0022, \u0022http_host_hash\u0022: \u002268964bd149320edbceb0d6a222e6bc3e0bdb74e3\u0022, \u0022http_target_hash\u0022: \u00220c35eebf403cf91fe77a64921d76aa1ca6411d20\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 937, \u0022payload_entropy\u0022: 5.651155468533959, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3001, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 7.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 75, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022355d7572ad0a2a31a82f6a17f7d1b0376cbe086a\u0022, \u0022event_fingerprint\u0022: \u0022ba76cda5a5de39507583c01573d44f59579b7605\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00225ea6889a59d080298a42c0e1b4758211\u0022, \u0022payload_hash\u0022: \u0022b516359f12eaac4cc3d436c01ac9b4a9\u0022, \u0022path_pattern_hash\u0022: \u0022f53b52ad6d21cceb72dfa78fb67614fe\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 75}, \u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/app\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/app\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002218769a5482e8a612516f511df4b836ba1ffc9e12\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/app\u0022, \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\u0022, \u0022target_port_label\u0022: \u00223001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 75, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/app\u0022, \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\u0022, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145\u0022, \u0022target_port_label\u0022: \u00223001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022grafana\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3001","http_user_agent":"Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":937},{"id":9728362,"ip":"45.198.224.244","ts":"2026-06-20 07:57:58.000000","proto":"tcp","src_port":36292,"dst_port":3001,"service":"http","classification":"http_smuggling_probe","waf_score":62,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api\/route","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d\u0022, \u0022emulator_response_len\u0022: 107, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d336075c3988c6b7205cebd57d13f49ace6a0b3b\u0022, \u0022http_host_hash\u0022: \u002268964bd149320edbceb0d6a222e6bc3e0bdb74e3\u0022, \u0022http_target_hash\u0022: \u00221a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 943, \u0022payload_entropy\u0022: 5.654237880242019, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3001, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 7.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 75, \u0022tag_count\u0022: 16, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002217f8082b7177a6962da54a61b69b8c55587a2484\u0022, \u0022event_fingerprint\u0022: \u002244273dd9b4c851d7b9a674b35acd2e74b843b306\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00225ea6889a59d080298a42c0e1b4758211\u0022, \u0022payload_hash\u0022: \u00223d8b3f26ba941d4962c4bb31de82b4ad\u0022, \u0022path_pattern_hash\u0022: \u00227c4fe35e07eebe8bea27a36c14378e32\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 75}, \u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/route\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/route\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d7bd46b9fc3e183329e296c07ea5c205a55a7248\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/route\u0022, \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/route\u0022, \u0022target_port_label\u0022: \u00223001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 75, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/route\u0022, \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/route\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_\u0022, \u0022target_port_label\u0022: \u00223001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 10 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022grafana\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3001","http_user_agent":"Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":943},{"id":9728356,"ip":"45.198.224.244","ts":"2026-06-20 07:57:57.000000","proto":"tcp","src_port":36266,"dst_port":3001,"service":"http","classification":"http_smuggling_probe","waf_score":55,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"POST","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d\u0022, \u0022emulator_response_len\u0022: 107, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00228447a2dfcfbbdcc75d5b5272da958411ec73dd1a\u0022, \u0022http_host_hash\u0022: \u002268964bd149320edbceb0d6a222e6bc3e0bdb74e3\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 947, \u0022payload_entropy\u0022: 5.64002604363109, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3001, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 7.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 75, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225286d7149cff2380a616c8211b39b63366c8dd6f\u0022, \u0022event_fingerprint\u0022: \u002216e2c48fbcd6b17a02278bce3dc927a637697700\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002293af66442f9c9958e5fcc0142d9e74de\u0022, \u0022payload_hash\u0022: \u0022ac76b5b0449a1d29ccd928874264dd27\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 75}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: \u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: \u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224db6b07bd9342d1d4d34f2d7a7ea137445c62728\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00223001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 75, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS\u0022, \u0022target_port_label\u0022: \u00223001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022grafana\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3001","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":947},{"id":9728358,"ip":"45.198.224.244","ts":"2026-06-20 07:57:57.000000","proto":"tcp","src_port":36268,"dst_port":3001,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/_next","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d\u0022, \u0022emulator_response_len\u0022: 107, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00221c1f86ba252c0c8ebc250acab48718f12d6d1efd\u0022, \u0022http_host_hash\u0022: \u002268964bd149320edbceb0d6a222e6bc3e0bdb74e3\u0022, \u0022http_target_hash\u0022: \u0022afd9bdeafd8c657f6b493ada03c51e348516227b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 936, \u0022payload_entropy\u0022: 5.662176595139027, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3001, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 7.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 75, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022355d7572ad0a2a31a82f6a17f7d1b0376cbe086a\u0022, \u0022event_fingerprint\u0022: \u0022bd2e4031bf04bf18dee63c7bcfc15bb898971b77\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002272d43eb808798db218d063798749cc39\u0022, \u0022payload_hash\u0022: \u002278f520fcaac5d55c28f85e3751db1360\u0022, \u0022path_pattern_hash\u0022: \u0022bfd33612e3863357684bd23d10455a76\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 75}, \u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002227b8c49eff359a01070cb21c9c5fe86e57f743c3\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\u0022, \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\u0022, \u0022target_port_label\u0022: \u00223001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 75, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\u0022, \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)\u0022, \u0022target_port_label\u0022: \u00223001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022grafana\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3001","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":936},{"id":9728354,"ip":"45.198.224.244","ts":"2026-06-20 07:57:56.000000","proto":"tcp","src_port":36240,"dst_port":3001,"service":"grafana","classification":"grafana_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d\u0022, \u0022emulator_response_len\u0022: 107, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022grafana\u0022, \u0022app_proto\u0022: \u0022grafana\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3001, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 24, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fa5e9f89adb2c47cafc508db34cacd873d1de716\u0022, \u0022event_fingerprint\u0022: \u00220f885f7557e23a2165fec6e25217796b52e0b682\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab grafana_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 24}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022grafana\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u00226fe594699bf22753f400c105c5e66cd2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3001, \u0022service\u0022: \u0022grafana\u0022, \u0022service_name\u0022: \u0022grafana\u0022, \u0022risk_score\u0022: 24}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a45c6598dfbd7f36d43b9df396afaa630d6ff129\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 3001, \u0022service\u0022: \u0022grafana\u0022, \u0022service_label_fr\u0022: \u0022GRAFANA\u0022}, \u0022attack_vector\u0022: \u0022grafana probe \u00b7 via GRAFANA:3001 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223001 \u00b7 GRAFANA\u0022, \u0022emulator_service\u0022: \u0022grafana\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab grafana_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab grafana_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 24}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 24, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022grafana\u0022, \u0022service_label_fr\u0022: \u0022GRAFANA\u0022, \u0022dst_port\u0022: 3001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-grafana\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 3001, \u0022service\u0022: \u0022grafana\u0022, \u0022service_label_fr\u0022: \u0022GRAFANA\u0022}, \u0022attack_vector\u0022: \u0022grafana probe \u00b7 via GRAFANA:3001 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00223001 \u00b7 GRAFANA\u0022, \u0022emulator_service\u0022: \u0022grafana\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022grafana\u0022, \u0022service_banner\u0022: \u0022honeypot-grafana\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022grafana_emulated\u0022, \u0022net_grafana_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022grafana_emulated\u0022, \u0022net_grafana_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":0},{"id":9728355,"ip":"45.198.224.244","ts":"2026-06-20 07:57:56.000000","proto":"tcp","src_port":36254,"dst_port":3001,"service":"http","classification":"web_probe","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d\u0022, \u0022emulator_response_len\u0022: 107, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u002268964bd149320edbceb0d6a222e6bc3e0bdb74e3\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 60, \u0022payload_entropy\u0022: 4.510649970428229, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3001, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a03f8e495fb2c8a4b497319935cd9db363466aea\u0022, \u0022event_fingerprint\u0022: \u0022da23c40320a3e9c3f4c59c38b781fb247e83e390\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228cdda30c43b2dd7c07f4801c1b61cc70\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022}, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.82, \u0022classification_confidence\u0022: 0.82, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221e015661753fc64a5a3205772e3dabde2526361d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:3001 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 82, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 3001, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:3001 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3001\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00223001 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 82 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022grafana\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3001","http_user_agent":null,"http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":60},{"id":9726011,"ip":"45.198.224.244","ts":"2026-06-20 07:09:25.000000","proto":"tcp","src_port":35432,"dst_port":8080,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/app","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00221cafc1ec7983977ff1b9c77c60e09ef5fe869a95\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u00220c35eebf403cf91fe77a64921d76aa1ca6411d20\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 971, \u0022payload_entropy\u0022: 5.686149162721169, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 74, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228a7a730e3bd4ed5a37303ee15b632ec4892de342\u0022, \u0022event_fingerprint\u0022: \u00221fc6a70736a43e88c6e8fca79595036b64f26a25\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022c772734c6eb2978096c283068906aec3\u0022, \u0022payload_hash\u0022: \u0022fcaece61353499e32567cce524e2a479\u0022, \u0022path_pattern_hash\u0022: \u0022f53b52ad6d21cceb72dfa78fb67614fe\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 74}, \u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/app\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\\r\\nAccept-E\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/app\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\\r\\nAccept-E\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022341ca4bf8f47c2a1a8b3757889662e8b259f3db5\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/app\u0022, \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 74, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/app\u0022, \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\u0022, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":971},{"id":9726012,"ip":"45.198.224.244","ts":"2026-06-20 07:09:25.000000","proto":"tcp","src_port":59176,"dst_port":8080,"service":"http","classification":"http_smuggling_probe","waf_score":62,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api\/route","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00221cafc1ec7983977ff1b9c77c60e09ef5fe869a95\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u00221a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 977, \u0022payload_entropy\u0022: 5.658489202431709, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 74, \u0022tag_count\u0022: 16, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221ad596657217a260bbfde7bd7dbf8675ae0c20d6\u0022, \u0022event_fingerprint\u0022: \u002246fad7a80ac53c3981cf28756f763ab2003e70d5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022c772734c6eb2978096c283068906aec3\u0022, \u0022payload_hash\u0022: \u00228078039efbe64511a3a86904a91d0bc5\u0022, \u0022path_pattern_hash\u0022: \u00227c4fe35e07eebe8bea27a36c14378e32\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 74}, \u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/route\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\\r\\nAc\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/route\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\\r\\nAc\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228fd31053487460c94ab20759611e4bc473972d54\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/route\u0022, \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/route\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 74, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/route\u0022, \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/route\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 10 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":977},{"id":9726009,"ip":"45.198.224.244","ts":"2026-06-20 07:09:24.000000","proto":"tcp","src_port":35410,"dst_port":8080,"service":"http","classification":"http_smuggling_probe","waf_score":56,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00221c1f86ba252c0c8ebc250acab48718f12d6d1efd\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022ada91241341ae792ecf0a59cad28616a77bab856\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 928, \u0022payload_entropy\u0022: 5.666509733949924, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 74, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002221e9fae942f52cc8b549481060b39762751f902f\u0022, \u0022event_fingerprint\u0022: \u0022de9086070f98b0daf5d3dfd24e5a3bbeea980a1d\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002272d43eb808798db218d063798749cc39\u0022, \u0022payload_hash\u0022: \u0022ff64ea389b43557d88c1148fba5124af\u0022, \u0022path_pattern_hash\u0022: \u0022702acf7c08d3b03b321d97b4903ad221\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 74}, \u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-R\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-R\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b07fc06ef744e510f98856721bafc6aadbc5b740\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\u0022, \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 74, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\u0022, \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":928},{"id":9726010,"ip":"45.198.224.244","ts":"2026-06-20 07:09:24.000000","proto":"tcp","src_port":35422,"dst_port":8080,"service":"http","classification":"http_smuggling_probe","waf_score":58,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/_next\/server","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00228447a2dfcfbbdcc75d5b5272da958411ec73dd1a\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022bef481449499f499a0b29ed75c9630076205b04f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 959, \u0022payload_entropy\u0022: 5.65607697683609, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 74, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e2df49b40bff1bf1c835e3051e5e684779804c0d\u0022, \u0022event_fingerprint\u0022: \u00229ba584fdc39f150e7c51f1e0eda84d67437d8d65\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002293af66442f9c9958e5fcc0142d9e74de\u0022, \u0022payload_hash\u0022: \u00225260c91648c4082412de8a7bfafc2103\u0022, \u0022path_pattern_hash\u0022: \u00224d9c4ca8a8065d3ce7073b6b23f61056\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 74}, \u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; \u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nN\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nN\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002223e0bec7b2d68f5e480e354ebcc03dd44b3ee8a8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 74, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":959},{"id":9726007,"ip":"45.198.224.244","ts":"2026-06-20 07:09:22.000000","proto":"tcp","src_port":35400,"dst_port":8080,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/_next","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002222d9380abcdf97c82db21728e444020cf16735ea\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022afd9bdeafd8c657f6b493ada03c51e348516227b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 956, \u0022payload_entropy\u0022: 5.687218701583132, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 74, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228a7a730e3bd4ed5a37303ee15b632ec4892de342\u0022, \u0022event_fingerprint\u0022: \u0022997360954c933942c23581cb49e3850fdfacc7fc\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226c8160595869adea51d6742918f57fdf\u0022, \u0022payload_hash\u0022: \u0022f5e34b5fee48dde2b459e5aee0c249e0\u0022, \u0022path_pattern_hash\u0022: \u0022bfd33612e3863357684bd23d10455a76\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 74}, \u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android \u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\\r\\nAccept-Encoding: gzip, \u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\\r\\nAccept-Encoding: gzip, \u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220db67c1b3a162d1863060386795bf832a5ab4342\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\u0022, \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 74, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\u0022, \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":956},{"id":9726006,"ip":"45.198.224.244","ts":"2026-06-20 07:09:21.000000","proto":"tcp","src_port":35398,"dst_port":8080,"service":"http","classification":"http_smuggling_probe","waf_score":55,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"POST","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022fac64969f9eca34262c56352be2d62dd2d22b1a0\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 903, \u0022payload_entropy\u0022: 5.631984047750438, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 74, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dd0c863e8e5b3de4c865bd32a64a191cc8f0cbbb\u0022, \u0022event_fingerprint\u0022: \u0022c1a9c1f6f187ad29e77be46b13b8ac844c709953\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00229f10b48170735feac18b44fa385fef37\u0022, \u0022payload_hash\u0022: \u0022b0aa156d27bf3fe52c6ffdd208f88878\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 74}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-Request-Id: poop1234\\r\\nCont\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-Request-Id: poop1234\\r\\nCont\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a071e3de90458046ad3f80c3292453d43c433565\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 74, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":903},{"id":9726003,"ip":"45.198.224.244","ts":"2026-06-20 07:09:20.000000","proto":"tcp","src_port":35384,"dst_port":8080,"service":"http","classification":"web_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022986800c5ad65e75d541a277e48953dacf3f318da\u0022, \u0022event_fingerprint\u0022: \u00225afc6680f618e490dc22cb875ac6d45b5c7d65ea\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u00224154520a4208b3f021f35a6cc1dd98ae\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.74, \u0022classification_confidence\u0022: 0.74, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022945d6c54aac35f31bab6fba8d81332256826a36c\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 74, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_alt_8080\u0022, \u0022http_alt_port\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_8080\u0022, \u0022http_alt_port\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":0},{"id":9726004,"ip":"45.198.224.244","ts":"2026-06-20 07:09:20.000000","proto":"tcp","src_port":35390,"dst_port":8080,"service":"http","classification":"web_probe","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 60, \u0022payload_entropy\u0022: 4.577316637094897, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002237198db21b7202e636438aa5da36611eb6d754de\u0022, \u0022event_fingerprint\u0022: \u0022e8d7e440ce64622852a586f753bfe5d0110d3e76\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002215a4a5d6143f1183d398eba12061634b\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022}, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.74, \u0022classification_confidence\u0022: 0.74, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225b4204193a4c25716fc1670ad0cebd9890311a42\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 74, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":null,"http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":60},{"id":9686488,"ip":"45.198.224.244","ts":"2026-06-19 23:37:49.000000","proto":"tcp","src_port":49966,"dst_port":3000,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/app","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f\u0022, \u0022emulator_response_len\u0022: 106, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022fac64969f9eca34262c56352be2d62dd2d22b1a0\u0022, \u0022http_host_hash\u0022: \u002246f5955a67387b75de712e640b0687c888a438e5\u0022, \u0022http_target_hash\u0022: \u00220c35eebf403cf91fe77a64921d76aa1ca6411d20\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 912, \u0022payload_entropy\u0022: 5.615120915766591, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 75, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c38ba9371dae7cb9f392003889a5e2034699ce93\u0022, \u0022event_fingerprint\u0022: \u0022ae01e5d64c65059bfac3d910117e1109010c7099\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00229f10b48170735feac18b44fa385fef37\u0022, \u0022payload_hash\u0022: \u00224e8c6e94da91ac4ad2b6a04446a773e1\u0022, \u0022path_pattern_hash\u0022: \u0022f53b52ad6d21cceb72dfa78fb67614fe\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 75}, \u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/app\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-Request-Id: poop1234\\r\\nC\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/app\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-Request-Id: poop1234\\r\\nC\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022aa9261c8929fc326a41eb8e243b6a92c044719f8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/app\u0022, \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 75, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/app\u0022, \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\u0022, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022node-http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3000","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":912},{"id":9686491,"ip":"45.198.224.244","ts":"2026-06-19 23:37:49.000000","proto":"tcp","src_port":49970,"dst_port":3000,"service":"http","classification":"http_smuggling_probe","waf_score":62,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api\/route","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f\u0022, \u0022emulator_response_len\u0022: 106, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022affd667937319ba36aa098ac5e3b53f4e282c1fe\u0022, \u0022http_host_hash\u0022: \u002246f5955a67387b75de712e640b0687c888a438e5\u0022, \u0022http_target_hash\u0022: \u00221a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 981, \u0022payload_entropy\u0022: 5.648069983623701, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 75, \u0022tag_count\u0022: 16, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fe5171cbcf388509f61f3b6aecafcdfc099ea056\u0022, \u0022event_fingerprint\u0022: \u002265e65f62aaa913ad704f645caea35cffc912e98f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226990db627a3d5a6ae3f8a2c22924225b\u0022, \u0022payload_hash\u0022: \u002256c95dd6efaf130a83fd0ed6b573c1ae\u0022, \u0022path_pattern_hash\u0022: \u00227c4fe35e07eebe8bea27a36c14378e32\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 75}, \u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iP\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/route\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\\r\\nAccept-Enco\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iP\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/route\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\\r\\nAccept-Enco\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iP\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002215e257ac9c861a36b0eeda7b72427cd88ca2d73c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/route\u0022, \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iP\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/route\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 75, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/route\u0022, \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/route\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iP\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 10 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022node-http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3000","http_user_agent":"Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":981},{"id":9686483,"ip":"45.198.224.244","ts":"2026-06-19 23:37:48.000000","proto":"tcp","src_port":49946,"dst_port":3000,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/_next","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f\u0022, \u0022emulator_response_len\u0022: 106, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00221c1f86ba252c0c8ebc250acab48718f12d6d1efd\u0022, \u0022http_host_hash\u0022: \u002246f5955a67387b75de712e640b0687c888a438e5\u0022, \u0022http_target_hash\u0022: \u0022afd9bdeafd8c657f6b493ada03c51e348516227b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 922, \u0022payload_entropy\u0022: 5.638143369099032, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 75, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c38ba9371dae7cb9f392003889a5e2034699ce93\u0022, \u0022event_fingerprint\u0022: \u0022c49bbffea35129d829a515ff116f95c1704735dd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002272d43eb808798db218d063798749cc39\u0022, \u0022payload_hash\u0022: \u002287c79fa7553811d02b86666b1e9bbf7b\u0022, \u0022path_pattern_hash\u0022: \u0022bfd33612e3863357684bd23d10455a76\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 75}, \u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002233eb4aa7145c33d49866cd9fe5ec4eb8f2472ee0\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\u0022, \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 75, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\u0022, \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022node-http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3000","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":922},{"id":9686485,"ip":"45.198.224.244","ts":"2026-06-19 23:37:48.000000","proto":"tcp","src_port":49952,"dst_port":3000,"service":"http","classification":"http_smuggling_probe","waf_score":56,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f\u0022, \u0022emulator_response_len\u0022: 106, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00221c1f86ba252c0c8ebc250acab48718f12d6d1efd\u0022, \u0022http_host_hash\u0022: \u002246f5955a67387b75de712e640b0687c888a438e5\u0022, \u0022http_target_hash\u0022: \u0022ada91241341ae792ecf0a59cad28616a77bab856\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 928, \u0022payload_entropy\u0022: 5.629000313445772, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 75, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221e67af4ace0fb9570a93d503a0db3591dd65e01e\u0022, \u0022event_fingerprint\u0022: \u00224f99a7d92fe1c1e77fc3a3c563d97b11b0619181\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002272d43eb808798db218d063798749cc39\u0022, \u0022payload_hash\u0022: \u0022ba29a39b5962c5340323c58934de0739\u0022, \u0022path_pattern_hash\u0022: \u0022702acf7c08d3b03b321d97b4903ad221\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 75}, \u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-R\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-R\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224e96a09fb4b4be80d3c847eb9fa2daf48e1ea6ea\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\u0022, \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 75, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\u0022, \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022node-http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3000","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":928},{"id":9686487,"ip":"45.198.224.244","ts":"2026-06-19 23:37:48.000000","proto":"tcp","src_port":49954,"dst_port":3000,"service":"http","classification":"http_smuggling_probe","waf_score":58,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/_next\/server","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f\u0022, \u0022emulator_response_len\u0022: 106, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00228447a2dfcfbbdcc75d5b5272da958411ec73dd1a\u0022, \u0022http_host_hash\u0022: \u002246f5955a67387b75de712e640b0687c888a438e5\u0022, \u0022http_target_hash\u0022: \u0022bef481449499f499a0b29ed75c9630076205b04f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 945, \u0022payload_entropy\u0022: 5.639639296079837, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 75, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c36746a77281a9fce22e541072d4e4f0737c5351\u0022, \u0022event_fingerprint\u0022: \u002287b00af68946e45a37698a12d54984fa7e6dffe5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002293af66442f9c9958e5fcc0142d9e74de\u0022, \u0022payload_hash\u0022: \u0022025121965d088add92aa77c584d91ed0\u0022, \u0022path_pattern_hash\u0022: \u00224d9c4ca8a8065d3ce7073b6b23f61056\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 75}, \u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; \u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nN\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nN\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220c214a9712c9bd5de0a865ac1d0fff25926859d2\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 75, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022node-http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3000","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":945},{"id":9686482,"ip":"45.198.224.244","ts":"2026-06-19 23:37:47.000000","proto":"tcp","src_port":49944,"dst_port":3000,"service":"http","classification":"http_smuggling_probe","waf_score":55,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"POST","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f\u0022, \u0022emulator_response_len\u0022: 106, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022affd667937319ba36aa098ac5e3b53f4e282c1fe\u0022, \u0022http_host_hash\u0022: \u002246f5955a67387b75de712e640b0687c888a438e5\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 965, \u0022payload_entropy\u0022: 5.674933237536056, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 75, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022acb91e0e53779c097d8d44be0ab94cc5fdd213a6\u0022, \u0022event_fingerprint\u0022: \u0022ed7cd4b5808a7b0088bf2b6ff027999d206ef1c8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226990db627a3d5a6ae3f8a2c22924225b\u0022, \u0022payload_hash\u0022: \u0022d843e051e8a04323a15af7da3ce1b6aa\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 75}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 1\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\\r\\nAccept-Encoding: gzi\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 1\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\\r\\nAccept-Encoding: gzi\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002262823b465b94ad37f1916e1d86f3f01894c85b9f\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 1\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 75, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 1\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022node-http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3000","http_user_agent":"Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":965},{"id":9686479,"ip":"45.198.224.244","ts":"2026-06-19 23:37:46.000000","proto":"tcp","src_port":49920,"dst_port":3000,"service":"node-http","classification":"web_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f\u0022, \u0022emulator_response_len\u0022: 106, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022node-http\u0022, \u0022app_proto\u0022: \u0022node-http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227c356cd3f41196ebc417361b0f54b35bbef962c4\u0022, \u0022event_fingerprint\u0022: \u002234fd482cd7628741af06d058b16059cafd546c90\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u00224154520a4208b3f021f35a6cc1dd98ae\u0022}, \u0022service_name\u0022: \u0022node-http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 3000, \u0022service\u0022: \u0022node-http\u0022, \u0022service_name\u0022: \u0022node-http\u0022, \u0022risk_score\u0022: 40}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.71, \u0022classification_confidence\u0022: 0.71, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229fbb176b8be7c53f9f74a0d17880aaafba7d2e40\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 3000, \u0022service\u0022: \u0022node-http\u0022, \u0022service_label_fr\u0022: \u0022NODE HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via NODE HTTP:3000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 NODE HTTP\u0022, \u0022emulator_service\u0022: \u0022node-http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 71 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 71, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022node-http\u0022, \u0022service_label_fr\u0022: \u0022NODE HTTP\u0022, \u0022dst_port\u0022: 3000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-node-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 3000, \u0022service\u0022: \u0022node-http\u0022, \u0022service_label_fr\u0022: \u0022NODE HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via NODE HTTP:3000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00223000 \u00b7 NODE HTTP\u0022, \u0022emulator_service\u0022: \u0022node-http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 71 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 71 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022node_http\u0022, \u0022service_banner\u0022: \u0022honeypot-node-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_web_probe\u0022, \u0022node_http_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_web_probe\u0022, \u0022node_http_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":0},{"id":9686481,"ip":"45.198.224.244","ts":"2026-06-19 23:37:46.000000","proto":"tcp","src_port":49928,"dst_port":3000,"service":"http","classification":"web_probe","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f\u0022, \u0022emulator_response_len\u0022: 106, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u002246f5955a67387b75de712e640b0687c888a438e5\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 60, \u0022payload_entropy\u0022: 4.502479553833678, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3000, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022acadabb6e608d1908fefd541c4cece676bd41c90\u0022, \u0022event_fingerprint\u0022: \u00220a8ad1cb33910f55ec66abeb641b5eb23668cec0\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022597220e036db121e0b6ae329850b51eb\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022}, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.82, \u0022classification_confidence\u0022: 0.82, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227dc19df7e993431aa64cf30efafc82ee2e53c1a4\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:3000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 82, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:3000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 82 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022node-http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3000","http_user_agent":null,"http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":60},{"id":9681721,"ip":"45.198.224.244","ts":"2026-06-19 21:31:55.000000","proto":"tcp","src_port":52670,"dst_port":8080,"service":"http","classification":"http_smuggling_probe","waf_score":62,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api\/route","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002222d9380abcdf97c82db21728e444020cf16735ea\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u00221a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 966, \u0022payload_entropy\u0022: 5.6630290533824255, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 74, \u0022tag_count\u0022: 16, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221ad596657217a260bbfde7bd7dbf8675ae0c20d6\u0022, \u0022event_fingerprint\u0022: \u002246fad7a80ac53c3981cf28756f763ab2003e70d5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226c8160595869adea51d6742918f57fdf\u0022, \u0022payload_hash\u0022: \u00227e2f204b44770f0601c6de82d429546c\u0022, \u0022path_pattern_hash\u0022: \u00227c4fe35e07eebe8bea27a36c14378e32\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 74}, \u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/route\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\\r\\nAccept-Encoding: gz\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/route\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\\r\\nAccept-Encoding: gz\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022aefc1944ca22a086a92486b40d016155e6fa9695\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/route\u0022, \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/route\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 74, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/route\u0022, \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/route\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 10 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":966},{"id":9681720,"ip":"45.198.224.244","ts":"2026-06-19 21:31:54.000000","proto":"tcp","src_port":52666,"dst_port":8080,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/app","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00221c1f86ba252c0c8ebc250acab48718f12d6d1efd\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u00220c35eebf403cf91fe77a64921d76aa1ca6411d20\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 927, \u0022payload_entropy\u0022: 5.6482622857173865, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 74, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228a7a730e3bd4ed5a37303ee15b632ec4892de342\u0022, \u0022event_fingerprint\u0022: \u00221fc6a70736a43e88c6e8fca79595036b64f26a25\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002272d43eb808798db218d063798749cc39\u0022, \u0022payload_hash\u0022: \u0022121a486fb40a3c56d6c2ca4ea712dda3\u0022, \u0022path_pattern_hash\u0022: \u0022f53b52ad6d21cceb72dfa78fb67614fe\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 74}, \u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/app\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-R\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/app\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-R\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002298d2d09ad3c9f0080877deea886afb02ea2ab335\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/app\u0022, \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 74, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/app\u0022, \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\u0022, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":927},{"id":9681718,"ip":"45.198.224.244","ts":"2026-06-19 21:31:53.000000","proto":"tcp","src_port":52646,"dst_port":8080,"service":"http","classification":"http_smuggling_probe","waf_score":56,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00221cafc1ec7983977ff1b9c77c60e09ef5fe869a95\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022ada91241341ae792ecf0a59cad28616a77bab856\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 984, \u0022payload_entropy\u0022: 5.6942691649694765, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 74, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002221e9fae942f52cc8b549481060b39762751f902f\u0022, \u0022event_fingerprint\u0022: \u0022de9086070f98b0daf5d3dfd24e5a3bbeea980a1d\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022c772734c6eb2978096c283068906aec3\u0022, \u0022payload_hash\u0022: \u0022ab3d707f5770fa4daa9b230613139474\u0022, \u0022path_pattern_hash\u0022: \u0022702acf7c08d3b03b321d97b4903ad221\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 74}, \u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\\r\\nAccept-E\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\\r\\nAccept-E\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227a77ddd2e7472db49b3fb5f71df5c96e6d326b16\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\u0022, \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 74, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\u0022, \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":984},{"id":9681719,"ip":"45.198.224.244","ts":"2026-06-19 21:31:53.000000","proto":"tcp","src_port":52658,"dst_port":8080,"service":"http","classification":"http_smuggling_probe","waf_score":58,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/_next\/server","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022a76e08b809549a8ef70acaf7074b5caa8a051858\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022bef481449499f499a0b29ed75c9630076205b04f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 967, \u0022payload_entropy\u0022: 5.6795367627243225, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 74, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e2df49b40bff1bf1c835e3051e5e684779804c0d\u0022, \u0022event_fingerprint\u0022: \u00229ba584fdc39f150e7c51f1e0eda84d67437d8d65\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002264a32e80cd1b4b7b1af4cc78f58848ee\u0022, \u0022payload_hash\u0022: \u0022055b8866dec1b5a61d117862d429d1b2\u0022, \u0022path_pattern_hash\u0022: \u00224d9c4ca8a8065d3ce7073b6b23f61056\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 74}, \u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT \u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, de\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, de\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002273e36fbcca951d3b6f512273488506c3037bd9bd\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 74, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":967},{"id":9681716,"ip":"45.198.224.244","ts":"2026-06-19 21:31:52.000000","proto":"tcp","src_port":52640,"dst_port":8080,"service":"http","classification":"http_smuggling_probe","waf_score":55,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"POST","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022a76e08b809549a8ef70acaf7074b5caa8a051858\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 955, \u0022payload_entropy\u0022: 5.654559376331016, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 74, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dd0c863e8e5b3de4c865bd32a64a191cc8f0cbbb\u0022, \u0022event_fingerprint\u0022: \u0022c1a9c1f6f187ad29e77be46b13b8ac844c709953\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002264a32e80cd1b4b7b1af4cc78f58848ee\u0022, \u0022payload_hash\u0022: \u00224ec14a14ef1799c70ab8856b2d986856\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 74}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002264fc56195d3863a5e6e4a575907a7d693eae5134\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 74, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":955},{"id":9681717,"ip":"45.198.224.244","ts":"2026-06-19 21:31:52.000000","proto":"tcp","src_port":52644,"dst_port":8080,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/_next","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022a76e08b809549a8ef70acaf7074b5caa8a051858\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022afd9bdeafd8c657f6b493ada03c51e348516227b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 960, \u0022payload_entropy\u0022: 5.662889515075729, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 74, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228a7a730e3bd4ed5a37303ee15b632ec4892de342\u0022, \u0022event_fingerprint\u0022: \u0022997360954c933942c23581cb49e3850fdfacc7fc\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002264a32e80cd1b4b7b1af4cc78f58848ee\u0022, \u0022payload_hash\u0022: \u00225d545034cefd673db08153fd31c604c1\u0022, \u0022path_pattern_hash\u0022: \u0022bfd33612e3863357684bd23d10455a76\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 74}, \u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, deflate\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, deflate\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022420a159cbc463baf27ade3b716c7b0f4792262aa\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\u0022, \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 74}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 74, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\u0022, \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":960},{"id":9681714,"ip":"45.198.224.244","ts":"2026-06-19 21:31:51.000000","proto":"tcp","src_port":52622,"dst_port":8080,"service":"http","classification":"web_probe","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 60, \u0022payload_entropy\u0022: 4.577316637094897, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002237198db21b7202e636438aa5da36611eb6d754de\u0022, \u0022event_fingerprint\u0022: \u0022e8d7e440ce64622852a586f753bfe5d0110d3e76\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002215a4a5d6143f1183d398eba12061634b\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022}, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.74, \u0022classification_confidence\u0022: 0.74, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225b4204193a4c25716fc1670ad0cebd9890311a42\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 74, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":null,"http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":60},{"id":9681712,"ip":"45.198.224.244","ts":"2026-06-19 21:31:50.000000","proto":"tcp","src_port":52614,"dst_port":8080,"service":"http","classification":"web_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022986800c5ad65e75d541a277e48953dacf3f318da\u0022, \u0022event_fingerprint\u0022: \u00225afc6680f618e490dc22cb875ac6d45b5c7d65ea\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u00224154520a4208b3f021f35a6cc1dd98ae\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.74, \u0022classification_confidence\u0022: 0.74, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022945d6c54aac35f31bab6fba8d81332256826a36c\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 74, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_alt_8080\u0022, \u0022http_alt_port\u0022, \u0022net_web_probe\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_8080\u0022, \u0022http_alt_port\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":0},{"id":9668600,"ip":"45.198.224.244","ts":"2026-06-19 17:17:50.000000","proto":"tcp","src_port":46378,"dst_port":3000,"service":"http","classification":"http_smuggling_probe","waf_score":56,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f\u0022, \u0022emulator_response_len\u0022: 106, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00228563f2ed0fd1b3832e8c528ca96b1f98a5b0004e\u0022, \u0022http_host_hash\u0022: \u002246f5955a67387b75de712e640b0687c888a438e5\u0022, \u0022http_target_hash\u0022: \u0022ada91241341ae792ecf0a59cad28616a77bab856\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 942, \u0022payload_entropy\u0022: 5.651744553081352, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 75, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221e67af4ace0fb9570a93d503a0db3591dd65e01e\u0022, \u0022event_fingerprint\u0022: \u00224f99a7d92fe1c1e77fc3a3c563d97b11b0619181\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022fcf5bfa409c42db4e4a5f32bcc91f966\u0022, \u0022payload_hash\u0022: \u0022dba26015843b52bba0d6ecff0f3da087\u0022, \u0022path_pattern_hash\u0022: \u0022702acf7c08d3b03b321d97b4903ad221\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 75}, \u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223d28099d879712dc85409e0b71dd1b5119ea5595\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\u0022, \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 75, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\u0022, \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022node-http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3000","http_user_agent":"Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":942},{"id":9668601,"ip":"45.198.224.244","ts":"2026-06-19 17:17:50.000000","proto":"tcp","src_port":46382,"dst_port":3000,"service":"http","classification":"http_smuggling_probe","waf_score":58,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/_next\/server","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f\u0022, \u0022emulator_response_len\u0022: 106, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00228447a2dfcfbbdcc75d5b5272da958411ec73dd1a\u0022, \u0022http_host_hash\u0022: \u002246f5955a67387b75de712e640b0687c888a438e5\u0022, \u0022http_target_hash\u0022: \u0022bef481449499f499a0b29ed75c9630076205b04f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 959, \u0022payload_entropy\u0022: 5.649373820971101, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 75, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c36746a77281a9fce22e541072d4e4f0737c5351\u0022, \u0022event_fingerprint\u0022: \u002287b00af68946e45a37698a12d54984fa7e6dffe5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002293af66442f9c9958e5fcc0142d9e74de\u0022, \u0022payload_hash\u0022: \u0022cabb2e7446f8ed5c8ebe3e89dbb72a67\u0022, \u0022path_pattern_hash\u0022: \u00224d9c4ca8a8065d3ce7073b6b23f61056\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 75}, \u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; \u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nN\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nN\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d17a08dbb1370b046ae85cecfe9c989b6b7e3eab\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 75, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022node-http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3000","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":959},{"id":9668602,"ip":"45.198.224.244","ts":"2026-06-19 17:17:50.000000","proto":"tcp","src_port":46386,"dst_port":3000,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/app","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f\u0022, \u0022emulator_response_len\u0022: 106, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00228447a2dfcfbbdcc75d5b5272da958411ec73dd1a\u0022, \u0022http_host_hash\u0022: \u002246f5955a67387b75de712e640b0687c888a438e5\u0022, \u0022http_target_hash\u0022: \u00220c35eebf403cf91fe77a64921d76aa1ca6411d20\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 943, \u0022payload_entropy\u0022: 5.661600715484614, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 75, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c38ba9371dae7cb9f392003889a5e2034699ce93\u0022, \u0022event_fingerprint\u0022: \u0022ae01e5d64c65059bfac3d910117e1109010c7099\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002293af66442f9c9958e5fcc0142d9e74de\u0022, \u0022payload_hash\u0022: \u00225cf7503cc7cfdf60fbda72ba13abb9b5\u0022, \u0022path_pattern_hash\u0022: \u0022f53b52ad6d21cceb72dfa78fb67614fe\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 75}, \u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/app\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Actio\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/app\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Actio\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dbf1cfbc59f66f236b54c4b27d2d7b2079902605\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/app\u0022, \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 75, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/app\u0022, \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\u0022, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022node-http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3000","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":943},{"id":9668603,"ip":"45.198.224.244","ts":"2026-06-19 17:17:50.000000","proto":"tcp","src_port":46400,"dst_port":3000,"service":"http","classification":"http_smuggling_probe","waf_score":62,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api\/route","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f\u0022, \u0022emulator_response_len\u0022: 106, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220703723cf11531696e7769eb22f8d9b281390533\u0022, \u0022http_host_hash\u0022: \u002246f5955a67387b75de712e640b0687c888a438e5\u0022, \u0022http_target_hash\u0022: \u00221a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 937, \u0022payload_entropy\u0022: 5.649531213104693, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 75, \u0022tag_count\u0022: 16, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fe5171cbcf388509f61f3b6aecafcdfc099ea056\u0022, \u0022event_fingerprint\u0022: \u002265e65f62aaa913ad704f645caea35cffc912e98f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022c9d890423bdd8f672926a6e46bf361c3\u0022, \u0022payload_hash\u0022: \u002266909df5e01995fcad0a7f8f5d42b7cf\u0022, \u0022path_pattern_hash\u0022: \u00227c4fe35e07eebe8bea27a36c14378e32\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 75}, \u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/route\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Actio\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/route\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Actio\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229e965c96663d5b2e704241c486c94f3662aef358\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/route\u0022, \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/route\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 75, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/route\u0022, \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/route\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 10 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022node-http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3000","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":937},{"id":9668598,"ip":"45.198.224.244","ts":"2026-06-19 17:17:49.000000","proto":"tcp","src_port":46358,"dst_port":3000,"service":"http","classification":"http_smuggling_probe","waf_score":55,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"POST","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f\u0022, \u0022emulator_response_len\u0022: 106, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d336075c3988c6b7205cebd57d13f49ace6a0b3b\u0022, \u0022http_host_hash\u0022: \u002246f5955a67387b75de712e640b0687c888a438e5\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 933, \u0022payload_entropy\u0022: 5.654879627961583, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 75, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022acb91e0e53779c097d8d44be0ab94cc5fdd213a6\u0022, \u0022event_fingerprint\u0022: \u0022ed7cd4b5808a7b0088bf2b6ff027999d206ef1c8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00225ea6889a59d080298a42c0e1b4758211\u0022, \u0022payload_hash\u0022: \u00222b87cc4ca3591fe0310baf29a33bf4ee\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 75}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Ne\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Ne\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224239b68025b8da74959fc3bfc776ecaf2d307a17\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 75, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022node-http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3000","http_user_agent":"Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":933},{"id":9668599,"ip":"45.198.224.244","ts":"2026-06-19 17:17:49.000000","proto":"tcp","src_port":46372,"dst_port":3000,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/_next","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f\u0022, \u0022emulator_response_len\u0022: 106, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022fac64969f9eca34262c56352be2d62dd2d22b1a0\u0022, \u0022http_host_hash\u0022: \u002246f5955a67387b75de712e640b0687c888a438e5\u0022, \u0022http_target_hash\u0022: \u0022afd9bdeafd8c657f6b493ada03c51e348516227b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 901, \u0022payload_entropy\u0022: 5.626373651442392, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 6.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 75, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c38ba9371dae7cb9f392003889a5e2034699ce93\u0022, \u0022event_fingerprint\u0022: \u0022c49bbffea35129d829a515ff116f95c1704735dd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00229f10b48170735feac18b44fa385fef37\u0022, \u0022payload_hash\u0022: \u00224dd7181555040592c0337b994e295f40\u0022, \u0022path_pattern_hash\u0022: \u0022bfd33612e3863357684bd23d10455a76\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 75}, \u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-Request-Id: poop1234\\r\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-Request-Id: poop1234\\r\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c73f66ee8414a4de21cf4112cd9f84fa5c353272\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\u0022, \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 75, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 75, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\u0022, \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022node-http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3000","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":901},{"id":9668596,"ip":"45.198.224.244","ts":"2026-06-19 17:17:48.000000","proto":"tcp","src_port":46336,"dst_port":3000,"service":"node-http","classification":"web_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f\u0022, \u0022emulator_response_len\u0022: 106, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022node-http\u0022, \u0022app_proto\u0022: \u0022node-http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227c356cd3f41196ebc417361b0f54b35bbef962c4\u0022, \u0022event_fingerprint\u0022: \u002234fd482cd7628741af06d058b16059cafd546c90\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u00224154520a4208b3f021f35a6cc1dd98ae\u0022}, \u0022service_name\u0022: \u0022node-http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 3000, \u0022service\u0022: \u0022node-http\u0022, \u0022service_name\u0022: \u0022node-http\u0022, \u0022risk_score\u0022: 40}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.71, \u0022classification_confidence\u0022: 0.71, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229fbb176b8be7c53f9f74a0d17880aaafba7d2e40\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 3000, \u0022service\u0022: \u0022node-http\u0022, \u0022service_label_fr\u0022: \u0022NODE HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via NODE HTTP:3000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 NODE HTTP\u0022, \u0022emulator_service\u0022: \u0022node-http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 71 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 71, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022node-http\u0022, \u0022service_label_fr\u0022: \u0022NODE HTTP\u0022, \u0022dst_port\u0022: 3000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-node-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 3000, \u0022service\u0022: \u0022node-http\u0022, \u0022service_label_fr\u0022: \u0022NODE HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via NODE HTTP:3000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00223000 \u00b7 NODE HTTP\u0022, \u0022emulator_service\u0022: \u0022node-http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 71 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 71 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022node_http\u0022, \u0022service_banner\u0022: \u0022honeypot-node-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_web_probe\u0022, \u0022node_http_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_web_probe\u0022, \u0022node_http_emulated\u0022]","anomalies":"[]","severity":4,"bytes_in":0},{"id":9668597,"ip":"45.198.224.244","ts":"2026-06-19 17:17:48.000000","proto":"tcp","src_port":46348,"dst_port":3000,"service":"http","classification":"web_probe","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f\u0022, \u0022emulator_response_len\u0022: 106, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u002246f5955a67387b75de712e640b0687c888a438e5\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 60, \u0022payload_entropy\u0022: 4.502479553833678, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3000, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022acadabb6e608d1908fefd541c4cece676bd41c90\u0022, \u0022event_fingerprint\u0022: \u00220a8ad1cb33910f55ec66abeb641b5eb23668cec0\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022597220e036db121e0b6ae329850b51eb\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022}, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.82, \u0022classification_confidence\u0022: 0.82, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227dc19df7e993431aa64cf30efafc82ee2e53c1a4\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:3000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 82, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 3000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:3000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3000\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00223000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 82 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022node-http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3000","http_user_agent":null,"http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":60},{"id":9658746,"ip":"45.198.224.244","ts":"2026-06-19 14:06:44.000000","proto":"tcp","src_port":55966,"dst_port":4000,"service":"remoteanything","classification":"remoteanything","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742072656d6f7465616e797468696e6720726561647920706f72743d343030300d0a\u0022, \u0022emulator_response_len\u0022: 45, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022remoteanything\u0022, \u0022app_proto\u0022: \u0022remoteanything\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 4000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f88a96a7a2195ddc5425c713492dfeb24a49282e\u0022, \u0022event_fingerprint\u0022: \u002207cd5f73535b136b58bd81864049efd35e649f3d\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022remoteanything\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022910f1d0651f97b463356bb788b95ea33\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4000, \u0022service\u0022: \u0022remoteanything\u0022, \u0022service_name\u0022: \u0022remoteanything\u0022, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222a87d09db003d6362a4d925c05dd4f0ca2576d90\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 4000, \u0022service\u0022: \u0022remoteanything\u0022, \u0022service_label_fr\u0022: \u0022REMOTEANYTHING\u0022}, \u0022attack_vector\u0022: \u0022remoteanything \u00b7 via REMOTEANYTHING:4000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00224000 \u00b7 REMOTEANYTHING\u0022, \u0022emulator_service\u0022: \u0022remoteanything\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022remoteanything\u0022, \u0022service_label_fr\u0022: \u0022REMOTEANYTHING\u0022, \u0022dst_port\u0022: 4000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-remoteanything\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 4000, \u0022service\u0022: \u0022remoteanything\u0022, \u0022service_label_fr\u0022: \u0022REMOTEANYTHING\u0022}, \u0022attack_vector\u0022: \u0022remoteanything \u00b7 via REMOTEANYTHING:4000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00224000 \u00b7 REMOTEANYTHING\u0022, \u0022emulator_service\u0022: \u0022remoteanything\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022remoteanything\u0022, \u0022service_banner\u0022: \u0022honeypot-remoteanything\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":9658747,"ip":"45.198.224.244","ts":"2026-06-19 14:06:44.000000","proto":"tcp","src_port":55970,"dst_port":4000,"service":"remoteanything","classification":"remoteanything","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742072656d6f7465616e797468696e6720726561647920706f72743d343030300d0a\u0022, \u0022emulator_response_len\u0022: 45, \u0022bytes_in\u0022: 60, \u0022payload_entropy\u0022: 4.556564762130954, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022remoteanything\u0022, \u0022app_proto\u0022: \u0022remoteanything\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 4000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 16.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 32.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 16.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 24, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227daab5526d463d9e36ac8ca3a98ef295abd5089f\u0022, \u0022event_fingerprint\u0022: \u002207cd5f73535b136b58bd81864049efd35e649f3d\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 16.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 24}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022remoteanything\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223fea6dc73311d972d570b1f15b0da5aa\u0022, \u0022path_pattern_hash\u0022: \u0022910f1d0651f97b463356bb788b95ea33\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4000, \u0022service\u0022: \u0022remoteanything\u0022, \u0022service_name\u0022: \u0022remoteanything\u0022, \u0022risk_score\u0022: 24}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4000\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4000\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4000\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4000\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4000\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002296ee32bd7f1429c62e6864b8deb7ae7f85fce228\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4000\\r\\nConnection: close\u0022, \u0022port\u0022: 4000, \u0022service\u0022: \u0022remoteanything\u0022, \u0022service_label_fr\u0022: \u0022REMOTEANYTHING\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4000\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022remoteanything \u00b7 via REMOTEANYTHING:4000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00224000 \u00b7 REMOTEANYTHING\u0022, \u0022emulator_service\u0022: \u0022remoteanything\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 1 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 16.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 24}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 24, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022remoteanything\u0022, \u0022service_label_fr\u0022: \u0022REMOTEANYTHING\u0022, \u0022dst_port\u0022: 4000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-remoteanything\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4000\\r\\nConnection: close\u0022, \u0022port\u0022: 4000, \u0022service\u0022: \u0022remoteanything\u0022, \u0022service_label_fr\u0022: \u0022REMOTEANYTHING\u0022}, \u0022attack_vector\u0022: \u0022remoteanything \u00b7 via REMOTEANYTHING:4000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4000\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00224000 \u00b7 REMOTEANYTHING\u0022, \u0022emulator_service\u0022: \u0022remoteanything\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 1 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022remoteanything\u0022, \u0022service_banner\u0022: \u0022honeypot-remoteanything\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022]","anomalies":"[]","severity":2,"bytes_in":60},{"id":9646785,"ip":"45.198.224.244","ts":"2026-06-19 09:48:52.000000","proto":"tcp","src_port":35624,"dst_port":8088,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/_next","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022affd667937319ba36aa098ac5e3b53f4e282c1fe\u0022, \u0022http_host_hash\u0022: \u00225af561107125d8ccc4aac442a3b8b5dee6769a85\u0022, \u0022http_target_hash\u0022: \u0022afd9bdeafd8c657f6b493ada03c51e348516227b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 971, \u0022payload_entropy\u0022: 5.663676417619082, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8088, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 7.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 76, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b9be4450eecffc4d605b73310b426f230ea57659\u0022, \u0022event_fingerprint\u0022: \u00228c62f85e504446ca970e43ef1880c610b51105e1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 76, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226990db627a3d5a6ae3f8a2c22924225b\u0022, \u0022payload_hash\u0022: \u0022d58478ee63122acce654113164c7cf3f\u0022, \u0022path_pattern_hash\u0022: \u0022bfd33612e3863357684bd23d10455a76\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 76}, \u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\\r\\nAccept-Encoding\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\\r\\nAccept-Encoding\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f3fd29f7611b39799ebb1993032a6ef92f254eca\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\u0022, \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026\u0022, \u0022port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\u0022, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 76\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 76, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 76, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8088, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\u0022, \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026\u0022, \u0022port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone\u0022, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228088\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8088\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8088","http_user_agent":"Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":971},{"id":9646786,"ip":"45.198.224.244","ts":"2026-06-19 09:48:52.000000","proto":"tcp","src_port":35638,"dst_port":8088,"service":"http","classification":"http_smuggling_probe","waf_score":56,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022a76e08b809549a8ef70acaf7074b5caa8a051858\u0022, \u0022http_host_hash\u0022: \u00225af561107125d8ccc4aac442a3b8b5dee6769a85\u0022, \u0022http_target_hash\u0022: \u0022ada91241341ae792ecf0a59cad28616a77bab856\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 952, \u0022payload_entropy\u0022: 5.651767670940968, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8088, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 7.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 76, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225a7ff7c847295bc7c8cb7b26fcdad8652f339051\u0022, \u0022event_fingerprint\u0022: \u002215943422306ff76579bc72abd66553de406ebfa2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 76, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002264a32e80cd1b4b7b1af4cc78f58848ee\u0022, \u0022payload_hash\u0022: \u00226f03b89185f5a5c2c6fd0b4527cc9a5c\u0022, \u0022path_pattern_hash\u0022: \u0022702acf7c08d3b03b321d97b4903ad221\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 76}, \u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, deflate\\r\\nNe\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, deflate\\r\\nNe\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225acbd21a7586a5a1d7ab2b3c1a0cf4647a937f0b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\u0022, \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026\u0022, \u0022port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\u0022, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 76\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 76, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 76, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8088, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\u0022, \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026\u0022, \u0022port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228088\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8088\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8088","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":952},{"id":9646787,"ip":"45.198.224.244","ts":"2026-06-19 09:48:52.000000","proto":"tcp","src_port":35642,"dst_port":8088,"service":"http","classification":"http_smuggling_probe","waf_score":58,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/_next\/server","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d336075c3988c6b7205cebd57d13f49ace6a0b3b\u0022, \u0022http_host_hash\u0022: \u00225af561107125d8ccc4aac442a3b8b5dee6769a85\u0022, \u0022http_target_hash\u0022: \u0022bef481449499f499a0b29ed75c9630076205b04f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 946, \u0022payload_entropy\u0022: 5.644526069553225, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8088, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 7.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 76, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b11bbf08f0ba0617fefe9c9a3c6baf0c8db9a19b\u0022, \u0022event_fingerprint\u0022: \u0022aa09415c50c71a8a5d6380143e1dd26a223d483f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 76, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00225ea6889a59d080298a42c0e1b4758211\u0022, \u0022payload_hash\u0022: \u002242a216675ad1a51b5c4b268b232b9c30\u0022, \u0022path_pattern_hash\u0022: \u00224d9c4ca8a8065d3ce7073b6b23f61056\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 76}, \u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Act\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Act\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dbac831e0d8aafe788b8871364b4969dce171db0\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 76\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 76, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 76, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8088, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x\u0022, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228088\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8088\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8088","http_user_agent":"Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":946},{"id":9646788,"ip":"45.198.224.244","ts":"2026-06-19 09:48:52.000000","proto":"tcp","src_port":35648,"dst_port":8088,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/app","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022a76e08b809549a8ef70acaf7074b5caa8a051858\u0022, \u0022http_host_hash\u0022: \u00225af561107125d8ccc4aac442a3b8b5dee6769a85\u0022, \u0022http_target_hash\u0022: \u00220c35eebf403cf91fe77a64921d76aa1ca6411d20\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 958, \u0022payload_entropy\u0022: 5.652921686626836, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8088, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 7.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 76, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b9be4450eecffc4d605b73310b426f230ea57659\u0022, \u0022event_fingerprint\u0022: \u0022a76ba649321c8ece6fd560e53841a342393796bc\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 76, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002264a32e80cd1b4b7b1af4cc78f58848ee\u0022, \u0022payload_hash\u0022: \u0022f6648add071383c4c7df2c1760b7fd81\u0022, \u0022path_pattern_hash\u0022: \u0022f53b52ad6d21cceb72dfa78fb67614fe\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 76}, \u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/app\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, deflate\\r\\nNe\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/app\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, deflate\\r\\nNe\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225a7ba5031444461d44cdc6df52d810fe2cd5b555\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/app\u0022, \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026\u0022, \u0022port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\u0022, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 76\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 76, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 76, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8088, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/app\u0022, \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026\u0022, \u0022port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\u0022, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228088\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8088\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8088","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":958},{"id":9646789,"ip":"45.198.224.244","ts":"2026-06-19 09:48:52.000000","proto":"tcp","src_port":35654,"dst_port":8088,"service":"http","classification":"http_smuggling_probe","waf_score":62,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api\/route","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220703723cf11531696e7769eb22f8d9b281390533\u0022, \u0022http_host_hash\u0022: \u00225af561107125d8ccc4aac442a3b8b5dee6769a85\u0022, \u0022http_target_hash\u0022: \u00221a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 944, \u0022payload_entropy\u0022: 5.642816497496272, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8088, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 7.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 76, \u0022tag_count\u0022: 16, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002266b4ed6a0ded7aa54d815d6af0358922f1e903e7\u0022, \u0022event_fingerprint\u0022: \u0022831932703b6e4f316e985ecbe3bdb6ff75d01188\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 76, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022c9d890423bdd8f672926a6e46bf361c3\u0022, \u0022payload_hash\u0022: \u0022790cc1fbd479cbb11537dc9fe43e402f\u0022, \u0022path_pattern_hash\u0022: \u00227c4fe35e07eebe8bea27a36c14378e32\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 76}, \u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/route\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Actio\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/route\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Actio\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a2f240531359a2a77ba1c16462c1290694215dff\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/route\u0022, \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/route\u0022, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 76\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 76, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 76, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8088, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/route\u0022, \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/route\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 10 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228088\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8088\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8088","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":944},{"id":9646782,"ip":"45.198.224.244","ts":"2026-06-19 09:48:51.000000","proto":"tcp","src_port":35594,"dst_port":8088,"service":"http-alt-8088","classification":"http-alt-8088","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http-alt-8088\u0022, \u0022app_proto\u0022: \u0022http-alt-8088\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8088, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022be18fd5396c091ebd409f5cfdf732d730b8067d4\u0022, \u0022event_fingerprint\u0022: \u0022e4439b80d6e4b371d582e64e67ce8ed1e436ce25\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-8088 \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http-alt-8088\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022f7ffc7733123826391689a4267b358d2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8088, \u0022service\u0022: \u0022http-alt-8088\u0022, \u0022service_name\u0022: \u0022http-alt-8088\u0022, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f4361951a29bb7613a383046fe98daf61717659f\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 8088, \u0022service\u0022: \u0022http-alt-8088\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8088\u0022}, \u0022attack_vector\u0022: \u0022http-alt-8088 \u00b7 via HTTP ALT 8088:8088 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP ALT 8088\u0022, \u0022emulator_service\u0022: \u0022http-alt-8088\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-8088 \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http-alt-8088 \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http-alt-8088\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8088\u0022, \u0022dst_port\u0022: 8088, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http-alt-8088\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 8088, \u0022service\u0022: \u0022http-alt-8088\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8088\u0022}, \u0022attack_vector\u0022: \u0022http-alt-8088 \u00b7 via HTTP ALT 8088:8088 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP ALT 8088\u0022, \u0022emulator_service\u0022: \u0022http-alt-8088\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http_alt_8088\u0022, \u0022service_banner\u0022: \u0022honeypot-http-alt-8088\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228088\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":9646783,"ip":"45.198.224.244","ts":"2026-06-19 09:48:51.000000","proto":"tcp","src_port":35610,"dst_port":8088,"service":"http","classification":"web_probe","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00225af561107125d8ccc4aac442a3b8b5dee6769a85\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 60, \u0022payload_entropy\u0022: 4.577316637094897, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8088, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224c107cce6f4a587053401a64b6b1b030c9318e51\u0022, \u0022event_fingerprint\u0022: \u00221c74cf8230f9b4879e57da93bad95e8e25d3b4ad\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fa2a0b2b1c98b17895dcddedb757fab1\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022}, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.82, \u0022classification_confidence\u0022: 0.82, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bc33383ed8e0c2f1bcfb3fd821dc70944507008c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8088 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 82, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8088, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8088 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 82 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228088\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8088\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8088","http_user_agent":null,"http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":60},{"id":9646784,"ip":"45.198.224.244","ts":"2026-06-19 09:48:51.000000","proto":"tcp","src_port":35614,"dst_port":8088,"service":"http","classification":"http_smuggling_probe","waf_score":55,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"POST","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00221c1f86ba252c0c8ebc250acab48718f12d6d1efd\u0022, \u0022http_host_hash\u0022: \u00225af561107125d8ccc4aac442a3b8b5dee6769a85\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 911, \u0022payload_entropy\u0022: 5.6629044372011865, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 215925, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8088, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 7.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 76, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b99e469991b601cc8de0e5929a49ae8b7a6c9d5c\u0022, \u0022event_fingerprint\u0022: \u0022776e8baedccd03d8fb5e94ec580a074cc2f9d60f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 76, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 215925, \u0022org\u0022: \u0022Vpsvault.host Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002272d43eb808798db218d063798749cc39\u0022, \u0022payload_hash\u0022: \u0022d45e013ec5fa0e5acafa8c1d5db2e168\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 76}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 508\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 508\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-Requ\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 508\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 508\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-Requ\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 508\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d609b7f0dfa8174feb940e9cdffa2cc174658824\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 508\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 76\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 76, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 76, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8088, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8088, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8088\\r\\nContent-Length: 508\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl\u0022, \u0022target_port_label\u0022: \u00228088 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228088\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8088\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8088","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":911}],"total_events":50}