Renseignement sur les menaces

États-Unis

45.198.224.244

FAI Vpsvault.host Ltd Première vue 16/06/2026 04:26 UTC Dernière vue 17/06/2026 05:54 UTC Risque Élevé

Période analysée : 2026-05-18 → 2026-06-17

Activité suspecte — risque 75/100 (Élevé) — MITRE TA0001 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 76/100 Élevé

Première observation 16/06/2026 04:26 UTC

Dernière observation 17/06/2026 05:54 UTC

Événements (période) 66

MITRE ATT&CK principal TA0001 48 occurrences

Activité suspecte — risque 75/100 (Élevé) — MITRE TA0001 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%

Confiance 100 % — Score WAF 100 · Bonus corrélation +8 · 10 tag(s) WAF

Comparaison ASN / FAI

ASN 215925 · 45.198.224.0/24 · AFRINIC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 66 événements sur la période pour cette IP.

45.198.224.140 Sonde SSH 17/06/2026 06:01 UTC
45.198.224.114 Sonde SSH 17/06/2026 05:56 UTC
45.198.224.46 Sonde SSH 17/06/2026 05:49 UTC
45.198.224.5 Sonde PostgreSQL 17/06/2026 05:48 UTC
45.205.1.243 Sonde port 5000/TCP 17/06/2026 05:46 UTC
45.205.1.247 Sonde port 8085/TCP 17/06/2026 05:27 UTC
45.205.1.242 Sonde port 8801/TCP 17/06/2026 05:04 UTC
45.198.224.92 Sonde SSH 17/06/2026 04:46 UTC

Événements (filtres)

Première observation

16/06/2026 04:26 UTC

Dernière observation

17/06/2026 05:54 UTC

Dernière activité (filtres)

17/06/2026 05:54 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 50 HTTPS TCP 8 NODE HTTP TCP 2 REMOTEANYTHING TCP 2 HTTP ALT 8088 TCP 1 GRAFANA TCP 1 HTTP ALT 8081 TCP 1

HTTP

HTTPS

NODE HTTP

REMOTEANYTHING

HTTP ALT 8088

GRAFANA

Géolocalisation

Origine réseau déclarée

États-Unis unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Vpsvault.host Ltd 0 Port 3000 web_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

http smuggling probe · via HTTP:3000 · (tentative d'exploit) · → /api/route

Détails protocole

Méthode: POST
Chemin: /api/route
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 S…

Aperçu payload

POST /api/route HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.

Port / service

3000 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 95 % — Motif catalogue confirmé · 10 tag(s) WAF

Technique MITRE

TA0001

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0842

Confiance

100% Corrélation +8

Famille de menace

web_injection

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

66 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

66 événement(s) — page 2/2

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
16/06/2026 07:31:13 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /_next/server	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST /_next/server UA Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) Appl… Émulateur HTTP WAF 58 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next/server TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /_next/server Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next/server HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; Andr Requête brute (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "1cafc1ec7983977ff1b9c77c60e09ef5fe869a95", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "bef481449499f499a0b29ed75c9630076205b04f", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 987, "payload_entropy": 5.690695027549453, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 13, "anomaly_count": 0, "campaign_key": "e2df49b40bff1bf1c835e3051e5e684779804c0d", "event_fingerprint": "9ba584fdc39f150e7c51f1e0eda84d67437d8d65", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c772734c6eb2978096c283068906aec3", "payload_hash": "45218565b5d869d627a7349a736d6b35", "path_pattern_hash": "4d9c4ca8a8065d3ce7073b6b23f61056" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "evidence": { "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d62c49acda47ab3ac9610bdbb775604152aceb8b", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 07:31:13 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /app	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST /app UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /app TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /app Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /app HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win Requête brute (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Accept-Encoding: gzip, deflate Ne Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "a76e08b809549a8ef70acaf7074b5caa8a051858", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "0c35eebf403cf91fe77a64921d76aa1ca6411d20", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 951, "payload_entropy": 5.652409630981394, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 12, "anomaly_count": 0, "campaign_key": "8a7a730e3bd4ed5a37303ee15b632ec4892de342", "event_fingerprint": "1fc6a70736a43e88c6e8fca79595036b64f26a25", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "64a32e80cd1b4b7b1af4cc78f58848ee", "payload_hash": "87ed84b01bcaca157f97e434bcaa1665", "path_pattern_hash": "f53b52ad6d21cceb72dfa78fb67614fe" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\nNe", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "evidence": { "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\nNe", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7619563e25a6b63090e359146b12db88542734fa", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 07:31:13 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /api/route	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST /api/route UA Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007;… Émulateur HTTP WAF 62 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api/route TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /api/route Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 10 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api/route HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/127.0.6533.103 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Linux; Android Requête brute (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/127.0.6533.103 Mobile Safari/ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "1978af5307537775fab4b66b0f1439319be37ce1", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "1a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 987, "payload_entropy": 5.664523870539842, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 16, "anomaly_count": 0, "campaign_key": "1ad596657217a260bbfde7bd7dbf8675ae0c20d6", "event_fingerprint": "46fad7a80ac53c3981cf28756f763ab2003e70d5", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7967be4fa492cfad4b86b41e3ae090e9", "payload_hash": "558741a1d48dc05d8b06ee4182d47a07", "path_pattern_hash": "7c4fe35e07eebe8bea27a36c14378e32" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "evidence": { "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6541a3c734c567de9caba795c4c6b42bae5b1e98", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 10 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_api_route_probe", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 07:31:12 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /_next	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST /_next UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /_next Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 507 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; W Requête brute (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 507 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Accept-Encoding: gzip, deflate Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "a76e08b809549a8ef70acaf7074b5caa8a051858", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "afd9bdeafd8c657f6b493ada03c51e348516227b", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 939, "payload_entropy": 5.657146249718423, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 12, "anomaly_count": 0, "campaign_key": "8a7a730e3bd4ed5a37303ee15b632ec4892de342", "event_fingerprint": "997360954c933942c23581cb49e3850fdfacc7fc", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "64a32e80cd1b4b7b1af4cc78f58848ee", "payload_hash": "41b8d90afa301ae08a109d54ea957298", "path_pattern_hash": "bfd33612e3863357684bd23d10455a76" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "evidence": { "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f3e0660f3aa9654e2fcfc94b4baeaf05ffec7d3b", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 07:31:12 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /api	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST /api UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100… Émulateur HTTP WAF 56 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /api Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136. Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win Requête brute (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136. Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-Request-Id: poop1234 C Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "fac64969f9eca34262c56352be2d62dd2d22b1a0", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "ada91241341ae792ecf0a59cad28616a77bab856", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 905, "payload_entropy": 5.605397513701913, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 14, "anomaly_count": 0, "campaign_key": "21e9fae942f52cc8b549481060b39762751f902f", "event_fingerprint": "de9086070f98b0daf5d3dfd24e5a3bbeea980a1d", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9f10b48170735feac18b44fa385fef37", "payload_hash": "d45a7a42a7af0daca280ad1560d265fb", "path_pattern_hash": "702acf7c08d3b03b321d97b4903ad221" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r\nC", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "evidence": { "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r\nC", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "89465f6de370e56e22d8a331197edddfa52ffe47", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 07:31:11 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit)	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 55 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Accept-Encoding: gzip, deflate Next- Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "a76e08b809549a8ef70acaf7074b5caa8a051858", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 949, "payload_entropy": 5.672032491151558, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 13, "anomaly_count": 0, "campaign_key": "dd0c863e8e5b3de4c865bd32a64a191cc8f0cbbb", "event_fingerprint": "c1a9c1f6f187ad29e77be46b13b8ac844c709953", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "64a32e80cd1b4b7b1af4cc78f58848ee", "payload_hash": "a35d83f746468780e009c9bba877cbf6", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\nNext-", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\nNext-", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f96bc006a154697a39dc081859ab5ee9ba58e535", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 07:31:10 UTC	TCP	8080 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8080 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTP WAF — Recommandation Surveiller Tags http_alt_8080 http_alt_port net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8080 Chemin / cible — Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 74% Confiance classification 84% Corrélation +10 Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 8 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "986800c5ad65e75d541a277e48953dacf3f318da", "event_fingerprint": "5afc6680f618e490dc22cb875ac6d45b5c7d65ea", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "service_name": "http", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 40 }, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.84, "classification_confidence": 0.84, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "945d6c54aac35f31bab6fba8d81332256826a36c", "protocol_details": { "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 84, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 84 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_8080", "http_alt_port", "net_web_probe" ] }
16/06/2026 07:31:10 UTC	TCP	8080 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8080 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible / Service HTTP Pourquoi cette classification : Sonde HTTP (tag sap-sapcontrol-path) · confiance 74% Confiance classification 84% Corrélation +10 Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 20 · 1 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8080 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 60, "payload_entropy": 4.577316637094897, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 20, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "37198db21b7202e636438aa5da36611eb6d754de", "event_fingerprint": "e8d7e440ce64622852a586f753bfe5d0110d3e76", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "15a4a5d6143f1183d398eba12061634b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "service_name": "http", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close", "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%" }, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.84, "classification_confidence": 0.84, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5b4204193a4c25716fc1670ad0cebd9890311a42", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "classification_reason_label_fr": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 84, "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 84 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +10 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_web_probe" ] }
16/06/2026 04:26:53 UTC	TCP	3000 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3000 · (tentative d'exploit) · → /_next/server	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next/server UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 58 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next/server TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3000 Chemin / cible /_next/server Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next/server HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Requête brute (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate N Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "8447a2dfcfbbdcc75d5b5272da958411ec73dd1a", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "bef481449499f499a0b29ed75c9630076205b04f", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 952, "payload_entropy": 5.642716490179193, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 13, "anomaly_count": 0, "campaign_key": "c36746a77281a9fce22e541072d4e4f0737c5351", "event_fingerprint": "87b00af68946e45a37698a12d54984fa7e6dffe5", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "93af66442f9c9958e5fcc0142d9e74de", "payload_hash": "7eedaf447dfc2c10aa5df213b36e68e5", "path_pattern_hash": "4d9c4ca8a8065d3ce7073b6b23f61056" }, "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; ", "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nN", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh;", "evidence": { "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nN", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh;", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e5536a4c7e1124e937417bab038c388432e85377", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh;", "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh;", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 04:26:53 UTC	TCP	3000 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3000 · (tentative d'exploit) · → /app	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /app UA Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /app TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3000 Chemin / cible /app Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /app HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4. Requête brute (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Accept-Encoding: gzip, de Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "22d9380abcdf97c82db21728e444020cf16735ea", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "0c35eebf403cf91fe77a64921d76aa1ca6411d20", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 961, "payload_entropy": 5.689062710877391, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "c38ba9371dae7cb9f392003889a5e2034699ce93", "event_fingerprint": "ae01e5d64c65059bfac3d910117e1109010c7099", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6c8160595869adea51d6742918f57fdf", "payload_hash": "bc29f07aa5f31ffb4e1aee8ea13b2be7", "path_pattern_hash": "f53b52ad6d21cceb72dfa78fb67614fe" }, "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\r\nAccept-Encoding: gzip, de", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "evidence": { "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\r\nAccept-Encoding: gzip, de", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1bcdabe11a1088a3bc9e33aee4ff78bbe757f356", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 04:26:53 UTC	TCP	3000 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3000 · (tentative d'exploit) · → /api/route	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api/route UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 62 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api/route TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3000 Chemin / cible /api/route Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 10 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api/route HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86 Requête brute (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-Ne Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "1c1f86ba252c0c8ebc250acab48718f12d6d1efd", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "1a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 940, "payload_entropy": 5.640710689692344, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 16, "anomaly_count": 0, "campaign_key": "fe5171cbcf388509f61f3b6aecafcdfc099ea056", "event_fingerprint": "65e65f62aaa913ad704f645caea35cffc912e98f", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "72d43eb808798db218d063798749cc39", "payload_hash": "b717110770f8149e644f8617438b6176", "path_pattern_hash": "7c4fe35e07eebe8bea27a36c14378e32" }, "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Ne", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "evidence": { "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Ne", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1a816b242548ca399a4c76bb5027eeecafa8db42", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 10 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_api_route_probe", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 04:26:52 UTC	TCP	3000 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3000 · (tentative d'exploit) · → /_next	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next UA Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) Appl… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3000 Chemin / cible /_next Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; Requête brute (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Accept Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "1cafc1ec7983977ff1b9c77c60e09ef5fe869a95", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "afd9bdeafd8c657f6b493ada03c51e348516227b", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 980, "payload_entropy": 5.691202073357923, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "c38ba9371dae7cb9f392003889a5e2034699ce93", "event_fingerprint": "c49bbffea35129d829a515ff116f95c1704735dd", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c772734c6eb2978096c283068906aec3", "payload_hash": "9b98821f08e0ce5838ed317c3d9c63fb", "path_pattern_hash": "bfd33612e3863357684bd23d10455a76" }, "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ", "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r\nAccept", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "evidence": { "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r\nAccept", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7ea58965055c7edd14e6407f3d4b6c5e418a4a99", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 04:26:52 UTC	TCP	3000 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3000 · (tentative d'exploit) · → /api	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100… Émulateur HTTP WAF 56 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3000 Chemin / cible /api Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136. Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win Requête brute (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136. Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-Request-Id: poop1234 C Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "fac64969f9eca34262c56352be2d62dd2d22b1a0", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "ada91241341ae792ecf0a59cad28616a77bab856", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 905, "payload_entropy": 5.614241524043487, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 14, "anomaly_count": 0, "campaign_key": "1e67af4ace0fb9570a93d503a0db3591dd65e01e", "event_fingerprint": "4f99a7d92fe1c1e77fc3a3c563d97b11b0619181", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9f10b48170735feac18b44fa385fef37", "payload_hash": "66eac3e7994e92148b12e0e6eb25bd2f", "path_pattern_hash": "702acf7c08d3b03b321d97b4903ad221" }, "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r\nC", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "evidence": { "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r\nC", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2085d546e7aa82aae66b2c033da0166884486ab1", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 04:26:51 UTC	TCP	3000 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:3000 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible / Service HTTP Pourquoi cette classification : Sonde HTTP (tag sap-sapcontrol-path) · confiance 74% Confiance classification 92% Corrélation +18 Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 20 · 1 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3000 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 60, "payload_entropy": 4.502479553833678, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 20, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "acadabb6e608d1908fefd541c4cece676bd41c90", "event_fingerprint": "0a8ad1cb33910f55ec66abeb641b5eb23668cec0", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "597220e036db121e0b6ae329850b51eb", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "service_name": "http", "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close", "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%" }, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 18 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7dc19df7e993431aa64cf30efafc82ee2e53c1a4", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:3000 \u00b7 (sonde \/ probe)", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "classification_reason_label_fr": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 92, "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 18 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:3000 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 92 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +18 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_web_probe" ] }
16/06/2026 04:26:51 UTC	TCP	3000 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3000 · (tentative d'exploit)	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, l… Émulateur HTTP WAF 55 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3000 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.135 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 508 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 10; K) A Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 508 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.135 Mobile Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "8563f2ed0fd1b3832e8c528ca96b1f98a5b0004e", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 926, "payload_entropy": 5.6423092073487044, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 13, "anomaly_count": 0, "campaign_key": "acb91e0e53779c097d8d44be0ab94cc5fdd213a6", "event_fingerprint": "ed7cd4b5808a7b0088bf2b6ff027999d206ef1c8", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "fcf5bfa409c42db4e4a5f32bcc91f966", "payload_hash": "b90e39f192d84c261ed2c716019112e6", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "384a29926978850ab588716f52b687a53114a434", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit)", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 04:26:50 UTC	TCP	3000 · NODE HTTP	node-http	Sonde HTTP Sonde HTTP · via NODE HTTP:3000 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur NODE-HTTP WAF — Recommandation Surveiller Tags net_web_probe node_http_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Service NODE HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 71% Confiance classification 81% Corrélation +10 Risque capteur Moyen · 40 Confiance : Confiance 71 % — Score WAF 8 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "node-http", "app_proto": "node-http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 40, "tag_count": 2, "anomaly_count": 0, "campaign_key": "7c356cd3f41196ebc417361b0f54b35bbef962c4", "event_fingerprint": "34fd482cd7628741af06d058b16059cafd546c90", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "service_name": "node-http", "target_context": { "dst_port": 3000, "service": "node-http", "service_name": "node-http", "risk_score": 40 }, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%", "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.81, "classification_confidence": 0.81, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9fbb176b8be7c53f9f74a0d17880aaafba7d2e40", "protocol_details": { "port": 3000, "service": "node-http", "service_label_fr": "NODE HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via NODE HTTP:3000 \u00b7 (sonde \/ probe)", "target_port_label": "3000 \u00b7 NODE HTTP", "emulator_service": "node-http", "confidence_reason": "Confiance 71 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 81, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 40, "risk_label": "Moyen", "service_name": "node-http", "service_label_fr": "NODE HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-node-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "port": 3000, "service": "node-http", "service_label_fr": "NODE HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via NODE HTTP:3000 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "3000 \u00b7 NODE HTTP", "emulator_service": "node-http", "confidence_reason": "Confiance 71 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 81 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "node_http", "service_banner": "honeypot-node-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_web_probe", "node_http_emulated" ], "behavior_alert_count": 1, "behavior_priority": 72 }

45.198.224.244

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence