Renseignement sur les menaces

États-Unis

45.198.224.244

FAI Vpsvault.host Ltd Première vue 16/06/2026 04:26 UTC Dernière vue 19/06/2026 21:31 UTC Risque Élevé

Période analysée : 2026-03-21 → 2026-06-19

Activité suspecte — risque 74/100 (Élevé) — MITRE TA0001 — confiance 95 % — via HTTP

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 76/100 Élevé

Première observation 16/06/2026 04:26 UTC

Dernière observation 19/06/2026 21:31 UTC

Événements (période) 190

MITRE ATT&CK principal TA0001 138 occurrences

Activité suspecte — risque 74/100 (Élevé) — MITRE TA0001 — confiance 95 % — via HTTP

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%

Confiance 95 % — Score WAF 100 · 10 tag(s) WAF

Comparaison ASN / FAI

ASN 215925 · 45.198.224.0/24 · AFRINIC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 190 événements sur la période pour cette IP.

45.198.224.141 Sonde SSH 19/06/2026 22:43 UTC
45.205.1.73 Sonde SAP ICM HTTP 19/06/2026 22:36 UTC
45.205.1.242 Sonde port 8181/TCP 19/06/2026 22:23 UTC
45.198.224.138 Sonde port 19/06/2026 22:20 UTC
45.198.224.5 imap bruteforce 19/06/2026 22:11 UTC
45.205.1.69 radius probe 19/06/2026 22:10 UTC
45.205.1.68 Tentative d'exploit 19/06/2026 21:58 UTC
45.205.1.245 Sonde PostgreSQL 19/06/2026 21:56 UTC

Événements (filtres)

190

Première observation

16/06/2026 04:26 UTC

Dernière observation

19/06/2026 21:31 UTC

Dernière activité (filtres)

19/06/2026 21:31 UTC

Événements 7j

190

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 144 HTTPS TCP 24 REMOTEANYTHING TCP 6 NODE HTTP TCP 4 HTTP ALT 8081 TCP 3 HTTP ALT 8088 TCP 3 GRAFANA TCP 3

HTTP

144

HTTPS

REMOTEANYTHING

NODE HTTP

HTTP ALT 8081

HTTP ALT 8088

Géolocalisation

Origine réseau déclarée

États-Unis unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Vpsvault.host Ltd 0 Port 8080 web_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /api/route

Détails protocole

Méthode: POST
Chemin: /api/route
User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/JDQ39) AppleWebKit/534.30 (KHTML, li…

Aperçu payload

POST /api/route HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Andr

Port / service

8080 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 95 % — Motif catalogue confirmé · 10 tag(s) WAF

Technique MITRE

TA0001

Persona capteur

mail.sensor-1.internal

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0842

Confiance

95%

Famille de menace

web_injection

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

190 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

190 événement(s) — page 2/4

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
18/06/2026 18:53:42 UTC	TCP	3001 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3001 · (tentative d'exploit) · → /api/route	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api/route UA Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/… Émulateur HTTP WAF 62 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api/route TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3001 Chemin / cible /api/route Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 10 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api/route HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Andr Requête brute (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Accept-Encoding: gz Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "22d9380abcdf97c82db21728e444020cf16735ea", "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "1a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 967, "payload_entropy": 5.661083281540935, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 16, "anomaly_count": 0, "campaign_key": "17f8082b7177a6962da54a61b69b8c55587a2484", "event_fingerprint": "44273dd9b4c851d7b9a674b35acd2e74b843b306", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6c8160595869adea51d6742918f57fdf", "payload_hash": "f782f11aa968c45bf76aeb5ee8a8f708", "path_pattern_hash": "7c4fe35e07eebe8bea27a36c14378e32" }, "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr", "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\r\nAccept-Encoding: gz", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr", "evidence": { "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\r\nAccept-Encoding: gz", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ef31e43f3403134c671fd418bd7ef294879dbe2b", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr", "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 10 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_api_route_probe", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 18:53:42 UTC	TCP	3001 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3001 · (tentative d'exploit) · → /_next/server	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next/server UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 58 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next/server TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3001 Chemin / cible /_next/server Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next/server HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux Requête brute (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "1c1f86ba252c0c8ebc250acab48718f12d6d1efd", "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "bef481449499f499a0b29ed75c9630076205b04f", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 937, "payload_entropy": 5.665336081695682, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 13, "anomaly_count": 0, "campaign_key": "6f5948cef2533ee6717481d676f7cea8a7121fae", "event_fingerprint": "25e704f0aca0877f96ba11a8b72866ac12712632", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "72d43eb808798db218d063798749cc39", "payload_hash": "3b065124e629791dd11d17f2f763fc69", "path_pattern_hash": "4d9c4ca8a8065d3ce7073b6b23f61056" }, "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux ", "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux", "evidence": { "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a8f16421828e9b1e10ff99583ca33eda8fb21363", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux", "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 18:53:42 UTC	TCP	3001 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3001 · (tentative d'exploit) · → /app	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /app UA Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /app TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3001 Chemin / cible /app Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /app HTTP/1.1` User-Agent Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_64 145 Requête brute (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d336075c3988c6b7205cebd57d13f49ace6a0b3b", "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "0c35eebf403cf91fe77a64921d76aa1ca6411d20", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 943, "payload_entropy": 5.655305762686639, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "355d7572ad0a2a31a82f6a17f7d1b0376cbe086a", "event_fingerprint": "ba76cda5a5de39507583c01573d44f59579b7605", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5ea6889a59d080298a42c0e1b4758211", "payload_hash": "b4116331e4ae9a086019e31537513595", "path_pattern_hash": "f53b52ad6d21cceb72dfa78fb67614fe" }, "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "evidence": { "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "25bf28388ba2b6a7c2d706a54fed0d0a9405b36e", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 18:53:41 UTC	TCP	3001 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3001 · (tentative d'exploit)	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWeb… Émulateur HTTP WAF 55 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3001 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/134.0.6998.99 Mobile/15E148 Safari/604.1 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 1 Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/134.0.6998.99 Mobile/15E148 Safari/604.1 Accept-Encoding: gzi Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "affd667937319ba36aa098ac5e3b53f4e282c1fe", "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 972, "payload_entropy": 5.691104899784926, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 13, "anomaly_count": 0, "campaign_key": "5286d7149cff2380a616c8211b39b63366c8dd6f", "event_fingerprint": "16e2c48fbcd6b17a02278bce3dc927a637697700", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6990db627a3d5a6ae3f8a2c22924225b", "payload_hash": "64b58ce46782b7c0b5f6839c88f21f38", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 1", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\r\nAccept-Encoding: gzi", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 1", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\r\nAccept-Encoding: gzi", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 1", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fcdb9efe409fbc1b042edf13b1db8a4d37163f14", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 1", "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit)", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 1", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 18:53:41 UTC	TCP	3001 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3001 · (tentative d'exploit) · → /_next	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next UA Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3001 Chemin / cible /_next Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next HTTP/1.1` User-Agent Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_64 1 Requête brute (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d336075c3988c6b7205cebd57d13f49ace6a0b3b", "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "afd9bdeafd8c657f6b493ada03c51e348516227b", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 932, "payload_entropy": 5.620552228024293, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "355d7572ad0a2a31a82f6a17f7d1b0376cbe086a", "event_fingerprint": "bd2e4031bf04bf18dee63c7bcfc15bb898971b77", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5ea6889a59d080298a42c0e1b4758211", "payload_hash": "4c7a1aa0a01187d174103a77e16d8fe0", "path_pattern_hash": "bfd33612e3863357684bd23d10455a76" }, "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1", "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1", "evidence": { "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4759fe6bcbf7a3df8d7c28b10fa40e04b27339a0", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1", "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 18:53:41 UTC	TCP	3001 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3001 · (tentative d'exploit) · → /api	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api UA Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 56 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3001 Chemin / cible /api Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api HTTP/1.1` User-Agent Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_64 145 Requête brute (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d336075c3988c6b7205cebd57d13f49ace6a0b3b", "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "ada91241341ae792ecf0a59cad28616a77bab856", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 936, "payload_entropy": 5.665399854514357, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 14, "anomaly_count": 0, "campaign_key": "5f81689c0d4c52be206bd91cfd395583910ca4a3", "event_fingerprint": "82784f43a5e9f3ee94ecdb86dca53a33b02b4a21", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5ea6889a59d080298a42c0e1b4758211", "payload_hash": "9d645b942eabd9c61fd36db31bf12bfd", "path_pattern_hash": "702acf7c08d3b03b321d97b4903ad221" }, "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "evidence": { "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0a4e36af26fe1c91c91d03fcb0eecd828c282146", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 18:53:40 UTC	TCP	3001 · GRAFANA	grafana	grafana probe grafana probe · via GRAFANA:3001 · (sonde / probe)	Élevée	Faible · 24
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur GRAFANA WAF — Recommandation Surveiller Tags grafana_emulated net_grafana_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3001 Chemin / cible — Service GRAFANA Pourquoi cette classification : Type « grafana_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 24 Confiance : Confiance 0 % — 2 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "grafana", "app_proto": "grafana", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 24, "tag_count": 2, "anomaly_count": 0, "campaign_key": "fa5e9f89adb2c47cafc508db34cacd873d1de716", "event_fingerprint": "0f885f7557e23a2165fec6e25217796b52e0b682", "classification_reason": "Type \u00ab grafana_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 24 }, "named_classification_skipped": false, "service_name": "grafana", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6fe594699bf22753f400c105c5e66cd2" }, "target_context": { "dst_port": 3001, "service": "grafana", "service_name": "grafana", "risk_score": 24 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a45c6598dfbd7f36d43b9df396afaa630d6ff129", "protocol_details": { "port": 3001, "service": "grafana", "service_label_fr": "GRAFANA" }, "attack_vector": "grafana probe \u00b7 via GRAFANA:3001 \u00b7 (sonde \/ probe)", "target_port_label": "3001 \u00b7 GRAFANA", "emulator_service": "grafana", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab grafana_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab grafana_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 24 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 24, "risk_label": "Faible", "service_name": "grafana", "service_label_fr": "GRAFANA", "dst_port": 3001, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-grafana", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 3001, "service": "grafana", "service_label_fr": "GRAFANA" }, "attack_vector": "grafana probe \u00b7 via GRAFANA:3001 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "3001 \u00b7 GRAFANA", "emulator_service": "grafana", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "grafana", "service_banner": "honeypot-grafana", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "grafana_emulated", "net_grafana_probe" ] }
18/06/2026 18:53:40 UTC	TCP	3001 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:3001 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3001 Chemin / cible / Service HTTP Pourquoi cette classification : Sonde HTTP (tag sap-sapcontrol-path) · confiance 74% Confiance classification 82% Corrélation +8 Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 20 · 1 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3001 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 60, "payload_entropy": 4.510649970428229, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 20, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "a03f8e495fb2c8a4b497319935cd9db363466aea", "event_fingerprint": "da23c40320a3e9c3f4c59c38b781fb247e83e390", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8cdda30c43b2dd7c07f4801c1b61cc70", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "service_name": "http", "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close", "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%" }, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 8 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.82, "classification_confidence": 0.82, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e015661753fc64a5a3205772e3dabde2526361d", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:3001 \u00b7 (sonde \/ probe)", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "classification_reason_label_fr": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 82, "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:3001 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 82 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_web_probe" ] }
18/06/2026 13:48:30 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /api/route	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST /api/route UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 62 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api/route TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /api/route Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 10 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api/route HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86 Requête brute (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-Ne Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "1c1f86ba252c0c8ebc250acab48718f12d6d1efd", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "1a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 933, "payload_entropy": 5.614001931486645, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 16, "anomaly_count": 0, "campaign_key": "1ad596657217a260bbfde7bd7dbf8675ae0c20d6", "event_fingerprint": "46fad7a80ac53c3981cf28756f763ab2003e70d5", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "72d43eb808798db218d063798749cc39", "payload_hash": "49ff896b6312fd0a75fdf30df962c817", "path_pattern_hash": "7c4fe35e07eebe8bea27a36c14378e32" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Ne", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "evidence": { "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Ne", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1fea4337c886cef108dba154471618a26ac2ba6c", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 10 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_api_route_probe", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 13:48:29 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /_next/server	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST /_next/server UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 58 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next/server TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /_next/server Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next/server HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Windows NT Requête brute (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Ac Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "0703723cf11531696e7769eb22f8d9b281390533", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "bef481449499f499a0b29ed75c9630076205b04f", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 940, "payload_entropy": 5.670523923066305, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 13, "anomaly_count": 0, "campaign_key": "e2df49b40bff1bf1c835e3051e5e684779804c0d", "event_fingerprint": "9ba584fdc39f150e7c51f1e0eda84d67437d8d65", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c9d890423bdd8f672926a6e46bf361c3", "payload_hash": "11bbd0cb8e5772701294eb7b65329fc3", "path_pattern_hash": "4d9c4ca8a8065d3ce7073b6b23f61056" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT ", "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Ac", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT", "evidence": { "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Ac", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4e386cbbe56bdc8160e78c8a93ca577b24158bb4", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 13:48:29 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /app	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST /app UA Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /app TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /app Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /app HTTP/1.1` User-Agent Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_64 145 Requête brute (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d336075c3988c6b7205cebd57d13f49ace6a0b3b", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "0c35eebf403cf91fe77a64921d76aa1ca6411d20", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 930, "payload_entropy": 5.65457787758286, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 12, "anomaly_count": 0, "campaign_key": "8a7a730e3bd4ed5a37303ee15b632ec4892de342", "event_fingerprint": "1fc6a70736a43e88c6e8fca79595036b64f26a25", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5ea6889a59d080298a42c0e1b4758211", "payload_hash": "d419c0734c0b4ffeae48f2bd3ec22ab3", "path_pattern_hash": "f53b52ad6d21cceb72dfa78fb67614fe" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "evidence": { "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0ddef9e871855196545126423d64129be33f6db6", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 13:48:28 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /api	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST /api UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 56 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /api Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win Requête brute (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Accept-Encoding: gzip, deflate Ne Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "a76e08b809549a8ef70acaf7074b5caa8a051858", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "ada91241341ae792ecf0a59cad28616a77bab856", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 951, "payload_entropy": 5.658908908331213, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 14, "anomaly_count": 0, "campaign_key": "21e9fae942f52cc8b549481060b39762751f902f", "event_fingerprint": "de9086070f98b0daf5d3dfd24e5a3bbeea980a1d", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "64a32e80cd1b4b7b1af4cc78f58848ee", "payload_hash": "2beffa57d93cb407223b8a1dd5c1fcb7", "path_pattern_hash": "702acf7c08d3b03b321d97b4903ad221" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\nNe", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "evidence": { "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\nNe", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "634e959619a8c416ad817686e545ea21f4c04397", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 13:48:27 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /_next	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST /_next UA Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007;… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /_next Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/127.0.6533.103 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 14; Requête brute (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/127.0.6533.103 Mobile Safari/537. Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "1978af5307537775fab4b66b0f1439319be37ce1", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "afd9bdeafd8c657f6b493ada03c51e348516227b", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 983, "payload_entropy": 5.681642781861493, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 12, "anomaly_count": 0, "campaign_key": "8a7a730e3bd4ed5a37303ee15b632ec4892de342", "event_fingerprint": "997360954c933942c23581cb49e3850fdfacc7fc", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7967be4fa492cfad4b86b41e3ae090e9", "payload_hash": "3e9ae6a7ba82be55d694d519036c8cdd", "path_pattern_hash": "bfd33612e3863357684bd23d10455a76" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;", "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;", "evidence": { "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ce1d8d421e793d86abca29bc0eae78014a210a65", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 13:48:26 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit)	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 55 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-N Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "0703723cf11531696e7769eb22f8d9b281390533", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 935, "payload_entropy": 5.649826179869148, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 13, "anomaly_count": 0, "campaign_key": "dd0c863e8e5b3de4c865bd32a64a191cc8f0cbbb", "event_fingerprint": "c1a9c1f6f187ad29e77be46b13b8ac844c709953", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c9d890423bdd8f672926a6e46bf361c3", "payload_hash": "743968d0bc27a1cdbee565d226e82dfb", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-N", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-N", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9f8783cb08de7ab5f5aba7ec185fdcaf8110db6a", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 9 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 13:48:25 UTC	TCP	8080 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8080 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTP WAF — Recommandation Surveiller Tags http_alt_8080 http_alt_port net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8080 Chemin / cible — Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 74% Confiance classification 74% Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 8 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "986800c5ad65e75d541a277e48953dacf3f318da", "event_fingerprint": "5afc6680f618e490dc22cb875ac6d45b5c7d65ea", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "service_name": "http", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 40 }, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 40 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "945d6c54aac35f31bab6fba8d81332256826a36c", "protocol_details": { "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 74, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 74 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_8080", "http_alt_port", "net_web_probe" ] }
18/06/2026 13:48:25 UTC	TCP	8080 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8080 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible / Service HTTP Pourquoi cette classification : Sonde HTTP (tag sap-sapcontrol-path) · confiance 74% Confiance classification 74% Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 20 · 1 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8080 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 60, "payload_entropy": 4.577316637094897, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 20, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "37198db21b7202e636438aa5da36611eb6d754de", "event_fingerprint": "e8d7e440ce64622852a586f753bfe5d0110d3e76", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "15a4a5d6143f1183d398eba12061634b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "service_name": "http", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close", "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%" }, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5b4204193a4c25716fc1670ad0cebd9890311a42", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "classification_reason_label_fr": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 74, "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_web_probe" ] }
18/06/2026 12:11:24 UTC	TCP	3000 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3000 · (tentative d'exploit) · → /api/route	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api/route UA Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007;… Émulateur HTTP WAF 62 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api/route TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3000 Chemin / cible /api/route Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 10 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api/route HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/127.0.6533.103 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 512 Connection: close User-Agent: Mozilla/5.0 (Linux; Android Requête brute (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 512 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/127.0.6533.103 Mobile Safari/ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "1978af5307537775fab4b66b0f1439319be37ce1", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "1a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 986, "payload_entropy": 5.6402547904477665, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 16, "anomaly_count": 0, "campaign_key": "fe5171cbcf388509f61f3b6aecafcdfc099ea056", "event_fingerprint": "65e65f62aaa913ad704f645caea35cffc912e98f", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7967be4fa492cfad4b86b41e3ae090e9", "payload_hash": "923c8dfd8579815ba8f0c2b6f07d1e45", "path_pattern_hash": "7c4fe35e07eebe8bea27a36c14378e32" }, "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "evidence": { "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "25edefa56c2969ad99d04e5df60a41ff27c0a041", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 10 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_api_route_probe", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ], "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 12:11:23 UTC	TCP	3000 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3000 · (tentative d'exploit) · → /api	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api UA Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/… Émulateur HTTP WAF 56 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3000 Chemin / cible /api Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4. Requête brute (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Accept-Encoding: gzip, de Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "22d9380abcdf97c82db21728e444020cf16735ea", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "ada91241341ae792ecf0a59cad28616a77bab856", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 967, "payload_entropy": 5.678091941975262, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 14, "anomaly_count": 0, "campaign_key": "1e67af4ace0fb9570a93d503a0db3591dd65e01e", "event_fingerprint": "4f99a7d92fe1c1e77fc3a3c563d97b11b0619181", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6c8160595869adea51d6742918f57fdf", "payload_hash": "3dfa6526642da780cf1b314cc40413df", "path_pattern_hash": "702acf7c08d3b03b321d97b4903ad221" }, "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\r\nAccept-Encoding: gzip, de", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "evidence": { "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\r\nAccept-Encoding: gzip, de", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9d761d2cf1afd927cc1f310bd86efd40c4cef8b3", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 12:11:23 UTC	TCP	3000 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3000 · (tentative d'exploit) · → /_next/server	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next/server UA Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWeb… Émulateur HTTP WAF 58 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next/server TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3000 Chemin / cible /_next/server Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next/server HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/134.0.6998.99 Mobile/15E148 Safari/604.1 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU Requête brute (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/134.0.6998.99 Mobile/15E148 Safari/604.1 Accept-E Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "affd667937319ba36aa098ac5e3b53f4e282c1fe", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "bef481449499f499a0b29ed75c9630076205b04f", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 971, "payload_entropy": 5.6562943844760385, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 13, "anomaly_count": 0, "campaign_key": "c36746a77281a9fce22e541072d4e4f0737c5351", "event_fingerprint": "87b00af68946e45a37698a12d54984fa7e6dffe5", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6990db627a3d5a6ae3f8a2c22924225b", "payload_hash": "4e9bc47a171dda2f810802524c3c3de3", "path_pattern_hash": "4d9c4ca8a8065d3ce7073b6b23f61056" }, "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU", "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\r\nAccept-E", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU", "evidence": { "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\r\nAccept-E", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e8fb9a3d0d90ddb58be895452e9d07a9d7e74e95", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU", "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 12:11:23 UTC	TCP	3000 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3000 · (tentative d'exploit) · → /app	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /app UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /app TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3000 Chemin / cible /app Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /app HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac Requête brute (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Actio Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "8447a2dfcfbbdcc75d5b5272da958411ec73dd1a", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "0c35eebf403cf91fe77a64921d76aa1ca6411d20", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 944, "payload_entropy": 5.660132287559675, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "c38ba9371dae7cb9f392003889a5e2034699ce93", "event_fingerprint": "ae01e5d64c65059bfac3d910117e1109010c7099", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "93af66442f9c9958e5fcc0142d9e74de", "payload_hash": "e27de5fe97400748fe3e503911ca7928", "path_pattern_hash": "f53b52ad6d21cceb72dfa78fb67614fe" }, "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac", "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Actio", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac", "evidence": { "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Actio", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "31c68dfd2d08548c4a42fcaed106d4a2bb4d255a", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac", "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 12:11:22 UTC	TCP	3000 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3000 · (tentative d'exploit)	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 55 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3000 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 512 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 512 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-N Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "0703723cf11531696e7769eb22f8d9b281390533", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 927, "payload_entropy": 5.629224611829844, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 13, "anomaly_count": 0, "campaign_key": "acb91e0e53779c097d8d44be0ab94cc5fdd213a6", "event_fingerprint": "ed7cd4b5808a7b0088bf2b6ff027999d206ef1c8", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c9d890423bdd8f672926a6e46bf361c3", "payload_hash": "a788ce137fb8d66e7aa734bded7a238a", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-N", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-N", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "60a9757b976b2f48e43d0a8495e8e9176aa5d04f", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit)", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 12:11:22 UTC	TCP	3000 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3000 · (tentative d'exploit) · → /_next	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3000 Chemin / cible /_next Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 512 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) Requête brute (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 512 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "1c1f86ba252c0c8ebc250acab48718f12d6d1efd", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "afd9bdeafd8c657f6b493ada03c51e348516227b", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 922, "payload_entropy": 5.640624820872229, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "c38ba9371dae7cb9f392003889a5e2034699ce93", "event_fingerprint": "c49bbffea35129d829a515ff116f95c1704735dd", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "72d43eb808798db218d063798749cc39", "payload_hash": "87c79fa7553811d02b86666b1e9bbf7b", "path_pattern_hash": "bfd33612e3863357684bd23d10455a76" }, "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)", "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)", "evidence": { "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "33eb4aa7145c33d49866cd9fe5ec4eb8f2472ee0", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)", "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 12:11:21 UTC	TCP	3000 · NODE HTTP	node-http	Sonde HTTP Sonde HTTP · via NODE HTTP:3000 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur NODE-HTTP WAF — Recommandation Surveiller Tags net_web_probe node_http_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Service NODE HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 71% Confiance classification 71% Risque capteur Moyen · 40 Confiance : Confiance 71 % — Score WAF 8 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "node-http", "app_proto": "node-http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 40, "tag_count": 2, "anomaly_count": 0, "campaign_key": "7c356cd3f41196ebc417361b0f54b35bbef962c4", "event_fingerprint": "34fd482cd7628741af06d058b16059cafd546c90", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "service_name": "node-http", "target_context": { "dst_port": 3000, "service": "node-http", "service_name": "node-http", "risk_score": 40 }, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%", "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 40 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.71, "classification_confidence": 0.71, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9fbb176b8be7c53f9f74a0d17880aaafba7d2e40", "protocol_details": { "port": 3000, "service": "node-http", "service_label_fr": "NODE HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via NODE HTTP:3000 \u00b7 (sonde \/ probe)", "target_port_label": "3000 \u00b7 NODE HTTP", "emulator_service": "node-http", "confidence_reason": "Confiance 71 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 71, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "node-http", "service_label_fr": "NODE HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-node-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 3000, "service": "node-http", "service_label_fr": "NODE HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via NODE HTTP:3000 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "3000 \u00b7 NODE HTTP", "emulator_service": "node-http", "confidence_reason": "Confiance 71 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 71 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "node_http", "service_banner": "honeypot-node-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_web_probe", "node_http_emulated" ] }
18/06/2026 12:11:21 UTC	TCP	3000 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:3000 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible / Service HTTP Pourquoi cette classification : Sonde HTTP (tag sap-sapcontrol-path) · confiance 74% Confiance classification 82% Corrélation +8 Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 20 · 1 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3000 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 60, "payload_entropy": 4.502479553833678, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 20, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "acadabb6e608d1908fefd541c4cece676bd41c90", "event_fingerprint": "0a8ad1cb33910f55ec66abeb641b5eb23668cec0", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "597220e036db121e0b6ae329850b51eb", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "service_name": "http", "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close", "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%" }, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 8 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.82, "classification_confidence": 0.82, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7dc19df7e993431aa64cf30efafc82ee2e53c1a4", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:3000 \u00b7 (sonde \/ probe)", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "classification_reason_label_fr": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 82, "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:3000 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 82 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_web_probe" ], "behavior_alert_count": 1, "behavior_priority": 84 }
18/06/2026 07:05:02 UTC	TCP	4000 · REMOTEANYTHING	remoteanything	remoteanything remoteanything · via REMOTEANYTHING:4000 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur REMOTEANYTHING WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4000 Chemin / cible — Service REMOTEANYTHING Pourquoi cette classification : Type « remoteanything » (signaux protocolaires) · confiance 0% Confiance classification 10% Corrélation +10 Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742072656d6f7465616e797468696e6720726561647920706f72743d343030300d0a", "emulator_response_len": 45, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "remoteanything", "app_proto": "remoteanything", "asn": 215925, "country": "US", "dst_port": 4000, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.2, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "f88a96a7a2195ddc5425c713492dfeb24a49282e", "event_fingerprint": "07cd5f73535b136b58bd81864049efd35e649f3d", "classification_reason": "Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.1, "classification_confidence": 0.1, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "remoteanything", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "910f1d0651f97b463356bb788b95ea33" }, "target_context": { "dst_port": 4000, "service": "remoteanything", "service_name": "remoteanything", "risk_score": 0 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2a87d09db003d6362a4d925c05dd4f0ca2576d90", "protocol_details": { "port": 4000, "service": "remoteanything", "service_label_fr": "REMOTEANYTHING" }, "attack_vector": "remoteanything \u00b7 via REMOTEANYTHING:4000 \u00b7 (sonde \/ probe)", "target_port_label": "4000 \u00b7 REMOTEANYTHING", "emulator_service": "remoteanything", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 10, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 0, "risk_label": "Faible", "service_name": "remoteanything", "service_label_fr": "REMOTEANYTHING", "dst_port": 4000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-remoteanything", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "port": 4000, "service": "remoteanything", "service_label_fr": "REMOTEANYTHING" }, "attack_vector": "remoteanything \u00b7 via REMOTEANYTHING:4000 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "4000 \u00b7 REMOTEANYTHING", "emulator_service": "remoteanything", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": "Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "remoteanything", "service_banner": "honeypot-remoteanything", "service_os": "linux", "dst_port": "4000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "behavior_alert_count": 1, "behavior_priority": 84 }
18/06/2026 07:05:02 UTC	TCP	4000 · REMOTEANYTHING	remoteanything	remoteanything remoteanything · via REMOTEANYTHING:4000 · (sonde / probe)	Moyenne	Faible · 24
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur REMOTEANYTHING WAF — Recommandation Surveiller Tags http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4000 Chemin / cible — Service REMOTEANYTHING Payload GET / HTTP/1.1 Host: 62.3.50.33:4000 Connection: close Pourquoi cette classification : Type « remoteanything » (signaux protocolaires) · confiance 0% Confiance classification 10% Corrélation +10 Risque capteur Faible · 24 Confiance : Confiance 0 % — 1 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:4000 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742072656d6f7465616e797468696e6720726561647920706f72743d343030300d0a", "emulator_response_len": 45, "bytes_in": 60, "payload_entropy": 4.556564762130954, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "remoteanything", "app_proto": "remoteanything", "asn": 215925, "country": "US", "dst_port": 4000, "risk_waf": 8, "risk_classification": 16, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 32, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 0.5, "risk_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 32, "novelty": 15 }, "risk_score": 24, "tag_count": 1, "anomaly_count": 0, "campaign_key": "7daab5526d463d9e36ac8ca3a98ef295abd5089f", "event_fingerprint": "07cd5f73535b136b58bd81864049efd35e649f3d", "classification_reason": "Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.1, "classification_confidence": 0.1, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 32, "novelty": 15, "risk_score": 24, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "remoteanything", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3fea6dc73311d972d570b1f15b0da5aa", "path_pattern_hash": "910f1d0651f97b463356bb788b95ea33" }, "target_context": { "dst_port": 4000, "service": "remoteanything", "service_name": "remoteanything", "risk_score": 24 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4000\r\nConnection: close\r\n\r\n", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4000\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4000\r\nConnection: close", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4000\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4000\r\nConnection: close", "classification_reason": "Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "96ee32bd7f1429c62e6864b8deb7ae7f85fce228", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4000\r\nConnection: close", "port": 4000, "service": "remoteanything", "service_label_fr": "REMOTEANYTHING" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4000\r\nConnection: close", "attack_vector": "remoteanything \u00b7 via REMOTEANYTHING:4000 \u00b7 (sonde \/ probe)", "target_port_label": "4000 \u00b7 REMOTEANYTHING", "emulator_service": "remoteanything", "confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab remoteanything \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 10, "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 32, "novelty": 15, "risk_score": 24, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 24, "risk_label": "Faible", "service_name": "remoteanything", "service_label_fr": "REMOTEANYTHING", "dst_port": 4000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-remoteanything", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4000\r\nConnection: close", "port": 4000, "service": "remoteanything", "service_label_fr": "REMOTEANYTHING" }, "attack_vector": "remoteanything \u00b7 via REMOTEANYTHING:4000 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4000\r\nConnection: close", "target_port_label": "4000 \u00b7 REMOTEANYTHING", "emulator_service": "remoteanything", "confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "remoteanything", "service_banner": "honeypot-remoteanything", "service_os": "linux", "dst_port": "4000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe" ] }
18/06/2026 04:26:27 UTC	TCP	8088 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8088 · (tentative d'exploit) · → /_next/server	Élevée	Élevé · 76
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next/server UA Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, l… Émulateur HTTP WAF 58 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next/server TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8088 Chemin / cible /_next/server Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 76 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next/server HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.135 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 503 Connection: close User-Agent: Mozilla/5.0 (Linux; Andr Requête brute (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 503 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.135 Mobile Safari/537.36 Accept-Encoding: gzip, deflate Ne Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "8563f2ed0fd1b3832e8c528ca96b1f98a5b0004e", "http_host_hash": "5af561107125d8ccc4aac442a3b8b5dee6769a85", "http_target_hash": "bef481449499f499a0b29ed75c9630076205b04f", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 931, "payload_entropy": 5.625613885245592, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8088, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.5, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 76, "tag_count": 13, "anomaly_count": 0, "campaign_key": "b11bbf08f0ba0617fefe9c9a3c6baf0c8db9a19b", "event_fingerprint": "aa09415c50c71a8a5d6380143e1dd26a223d483f", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "fcf5bfa409c42db4e4a5f32bcc91f966", "payload_hash": "cdb356c39ba0da7eb271bae639056f5d", "path_pattern_hash": "4d9c4ca8a8065d3ce7073b6b23f61056" }, "target_context": { "dst_port": 8088, "service": "http", "service_name": "http", "risk_score": 76 }, "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 503\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 503\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNe", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 503\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "evidence": { "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 503\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNe", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 503\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "05ef3ca8ec62c74cb040e68422d73e05eb62bd4e", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 503\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 76\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 76, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8088, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 503\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8088" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 04:26:27 UTC	TCP	8088 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8088 · (tentative d'exploit) · → /app	Élevée	Élevé · 76
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /app UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /app TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8088 Chemin / cible /app Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 76 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /app HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) A Requête brute (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-R Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "1c1f86ba252c0c8ebc250acab48718f12d6d1efd", "http_host_hash": "5af561107125d8ccc4aac442a3b8b5dee6769a85", "http_target_hash": "0c35eebf403cf91fe77a64921d76aa1ca6411d20", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 928, "payload_entropy": 5.629631479307992, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8088, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.5, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 76, "tag_count": 12, "anomaly_count": 0, "campaign_key": "b9be4450eecffc4d605b73310b426f230ea57659", "event_fingerprint": "a76ba649321c8ece6fd560e53841a342393796bc", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "72d43eb808798db218d063798749cc39", "payload_hash": "d3cb8ffc9fae458bd2bd519716778fb9", "path_pattern_hash": "f53b52ad6d21cceb72dfa78fb67614fe" }, "target_context": { "dst_port": 8088, "service": "http", "service_name": "http", "risk_score": 76 }, "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-R", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "evidence": { "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-R", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f432b7cb8845c379d9ab771dc4ad1a7277e38f6c", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 76\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 76, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8088, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8088" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 04:26:27 UTC	TCP	8088 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8088 · (tentative d'exploit) · → /api/route	Élevée	Élevé · 76
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api/route UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 62 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api/route TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8088 Chemin / cible /api/route Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 76 Confiance : Confiance 95 % — Motif catalogue confirmé · 10 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api/route HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86 Requête brute (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-Ne Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "1c1f86ba252c0c8ebc250acab48718f12d6d1efd", "http_host_hash": "5af561107125d8ccc4aac442a3b8b5dee6769a85", "http_target_hash": "1a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 934, "payload_entropy": 5.6485691348233855, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8088, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.5, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 76, "tag_count": 16, "anomaly_count": 0, "campaign_key": "66b4ed6a0ded7aa54d815d6af0358922f1e903e7", "event_fingerprint": "831932703b6e4f316e985ecbe3bdb6ff75d01188", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "72d43eb808798db218d063798749cc39", "payload_hash": "c3c9580665000ef4059508eee7d6c7cf", "path_pattern_hash": "7c4fe35e07eebe8bea27a36c14378e32" }, "target_context": { "dst_port": 8088, "service": "http", "service_name": "http", "risk_score": 76 }, "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Ne", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "evidence": { "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Ne", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "285eddc63c6a7b4ea730e97bf4e7a1e02040f2a1", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 76\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 76, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8088, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 10 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8088" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_api_route_probe", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 04:26:26 UTC	TCP	8088 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8088 · (tentative d'exploit)	Élevée	Élevé · 76
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007;… Émulateur HTTP WAF 55 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8088 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 76 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/127.0.6533.103 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 14; SM-F Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/127.0.6533.103 Mobile Safari/537.36 A Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "1978af5307537775fab4b66b0f1439319be37ce1", "http_host_hash": "5af561107125d8ccc4aac442a3b8b5dee6769a85", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 985, "payload_entropy": 5.688727677032637, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8088, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.5, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 76, "tag_count": 13, "anomaly_count": 0, "campaign_key": "b99e469991b601cc8de0e5929a49ae8b7a6c9d5c", "event_fingerprint": "776e8baedccd03d8fb5e94ec580a074cc2f9d60f", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7967be4fa492cfad4b86b41e3ae090e9", "payload_hash": "3483e3c41dc06c3186c188583bef58f7", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8088, "service": "http", "service_name": "http", "risk_score": 76 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36\r\nA", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36\r\nA", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f246ed980b17682ad125cde768483d2d7ea008e0", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F", "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit)", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 76\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 76, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8088, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8088" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 04:26:26 UTC	TCP	8088 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8088 · (tentative d'exploit) · → /_next	Élevée	Élevé · 76
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next UA Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) Appl… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8088 Chemin / cible /_next Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 76 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; Requête brute (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Accept Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "1cafc1ec7983977ff1b9c77c60e09ef5fe869a95", "http_host_hash": "5af561107125d8ccc4aac442a3b8b5dee6769a85", "http_target_hash": "afd9bdeafd8c657f6b493ada03c51e348516227b", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 979, "payload_entropy": 5.684701842404707, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8088, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.5, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 76, "tag_count": 12, "anomaly_count": 0, "campaign_key": "b9be4450eecffc4d605b73310b426f230ea57659", "event_fingerprint": "8c62f85e504446ca970e43ef1880c610b51105e1", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c772734c6eb2978096c283068906aec3", "payload_hash": "3806413494a8c58f15ac080473db8625", "path_pattern_hash": "bfd33612e3863357684bd23d10455a76" }, "target_context": { "dst_port": 8088, "service": "http", "service_name": "http", "risk_score": 76 }, "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ", "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r\nAccept", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "evidence": { "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r\nAccept", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "63ad9d427fe55deeebbbf67716a46863d300dc93", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 76\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 76, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8088, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8088" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 04:26:26 UTC	TCP	8088 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8088 · (tentative d'exploit) · → /api	Élevée	Élevé · 76
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api UA Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, l… Émulateur HTTP WAF 56 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8088 Chemin / cible /api Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 76 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.135 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 10; K Requête brute (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8088 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.135 Mobile Safari/537.36 Accept-Encoding: gzip, deflate Next-Action Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "8563f2ed0fd1b3832e8c528ca96b1f98a5b0004e", "http_host_hash": "5af561107125d8ccc4aac442a3b8b5dee6769a85", "http_target_hash": "ada91241341ae792ecf0a59cad28616a77bab856", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 936, "payload_entropy": 5.638222771617396, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8088, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.5, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 76, "tag_count": 14, "anomaly_count": 0, "campaign_key": "5a7ff7c847295bc7c8cb7b26fcdad8652f339051", "event_fingerprint": "15943422306ff76579bc72abd66553de406ebfa2", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "fcf5bfa409c42db4e4a5f32bcc91f966", "payload_hash": "10861440be9d62f478f02bb4c87a3614", "path_pattern_hash": "702acf7c08d3b03b321d97b4903ad221" }, "target_context": { "dst_port": 8088, "service": "http", "service_name": "http", "risk_score": 76 }, "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K", "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K", "evidence": { "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5301ca8f303ca101fb4af45c99b60dc72b76f023", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K", "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 76\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 76, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 76, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8088, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8088" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 04:26:25 UTC	TCP	8088 · HTTP ALT 8088	http-alt-8088	http-alt-8088 http-alt-8088 · via HTTP ALT 8088:8088 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTP-ALT-8088 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8088 Chemin / cible — Service HTTP ALT 8088 Pourquoi cette classification : Type « http-alt-8088 » (signaux protocolaires) · confiance 0% Confiance classification 10% Corrélation +10 Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http-alt-8088", "app_proto": "http-alt-8088", "asn": 215925, "country": "US", "dst_port": 8088, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "be18fd5396c091ebd409f5cfdf732d730b8067d4", "event_fingerprint": "e4439b80d6e4b371d582e64e67ce8ed1e436ce25", "classification_reason": "Type \u00ab http-alt-8088 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.1, "classification_confidence": 0.1, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http-alt-8088", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "f7ffc7733123826391689a4267b358d2" }, "target_context": { "dst_port": 8088, "service": "http-alt-8088", "service_name": "http-alt-8088", "risk_score": 0 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f4361951a29bb7613a383046fe98daf61717659f", "protocol_details": { "port": 8088, "service": "http-alt-8088", "service_label_fr": "HTTP ALT 8088" }, "attack_vector": "http-alt-8088 \u00b7 via HTTP ALT 8088:8088 \u00b7 (sonde \/ probe)", "target_port_label": "8088 \u00b7 HTTP ALT 8088", "emulator_service": "http-alt-8088", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab http-alt-8088 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab http-alt-8088 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 10, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 0, "risk_label": "Faible", "service_name": "http-alt-8088", "service_label_fr": "HTTP ALT 8088", "dst_port": 8088, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8088", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "port": 8088, "service": "http-alt-8088", "service_label_fr": "HTTP ALT 8088" }, "attack_vector": "http-alt-8088 \u00b7 via HTTP ALT 8088:8088 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8088 \u00b7 HTTP ALT 8088", "emulator_service": "http-alt-8088", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": "Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8088", "service_banner": "honeypot-http-alt-8088", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "behavior_alert_count": 1, "behavior_priority": 84 }
18/06/2026 04:26:25 UTC	TCP	8088 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8088 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8088 Chemin / cible / Service HTTP Pourquoi cette classification : Sonde HTTP (tag sap-sapcontrol-path) · confiance 74% Confiance classification 92% Corrélation +18 Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 20 · 1 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8088 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "5af561107125d8ccc4aac442a3b8b5dee6769a85", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 60, "payload_entropy": 4.577316637094897, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8088, "risk_waf": 20, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "4c107cce6f4a587053401a64b6b1b030c9318e51", "event_fingerprint": "1c74cf8230f9b4879e57da93bad95e8e25d3b4ad", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "fa2a0b2b1c98b17895dcddedb757fab1", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "service_name": "http", "target_context": { "dst_port": 8088, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nConnection: close", "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%" }, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 18 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bc33383ed8e0c2f1bcfb3fd821dc70944507008c", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:8088 \u00b7 (sonde \/ probe)", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "classification_reason_label_fr": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 92, "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 18 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8088, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8088 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nConnection: close", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 92 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +18 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8088" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_web_probe" ] }
18/06/2026 00:52:33 UTC	TCP	8081 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8081 · (tentative d'exploit) · → /app	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /app UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /app TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8081 Chemin / cible /app Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /app HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136. Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win Requête brute (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136. Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-Request-Id: poop1234 C Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "fac64969f9eca34262c56352be2d62dd2d22b1a0", "http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24", "http_target_hash": "0c35eebf403cf91fe77a64921d76aa1ca6411d20", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 912, "payload_entropy": 5.6103873469253465, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8081, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.4, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "25d3500a65098389ca2d8b93c8549931b42caa48", "event_fingerprint": "7edc76f815cbe0e9c24ae088c9bf500e285a17cb", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9f10b48170735feac18b44fa385fef37", "payload_hash": "fd9c0b6cb0be57eb2093d0ed950ee90c", "path_pattern_hash": "f53b52ad6d21cceb72dfa78fb67614fe" }, "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r\nC", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "evidence": { "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r\nC", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "477a028c6c4b670fb24023bf32d3b33ac8a774e9", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8081, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8081" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 00:52:33 UTC	TCP	8081 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8081 · (tentative d'exploit) · → /api/route	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api/route UA Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 62 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api/route TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8081 Chemin / cible /api/route Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 10 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api/route HTTP/1.1` User-Agent Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 512 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_ Requête brute (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 512 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "d336075c3988c6b7205cebd57d13f49ace6a0b3b", "http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24", "http_target_hash": "1a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 935, "payload_entropy": 5.671840414490546, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8081, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.4, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 16, "anomaly_count": 0, "campaign_key": "0740b3e614b8bf2fe05dca85c370c515474f3b99", "event_fingerprint": "685ea63dea2f86feffea0cc11e67cd645f6c7148", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5ea6889a59d080298a42c0e1b4758211", "payload_hash": "7bca9079c4fee8d79eb83fe6a304441f", "path_pattern_hash": "7c4fe35e07eebe8bea27a36c14378e32" }, "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_", "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_", "evidence": { "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "117f48d1cc6e99600e0459096be51362992943c0", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_", "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8081, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 512\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 10 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8081" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_api_route_probe", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 00:52:32 UTC	TCP	8081 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8081 · (tentative d'exploit) · → /_next	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next UA Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007;… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8081 Chemin / cible /_next Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/127.0.6533.103 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 14; Requête brute (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/127.0.6533.103 Mobile Safari/537. Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "1978af5307537775fab4b66b0f1439319be37ce1", "http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24", "http_target_hash": "afd9bdeafd8c657f6b493ada03c51e348516227b", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 989, "payload_entropy": 5.661188340149327, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8081, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.4, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "25d3500a65098389ca2d8b93c8549931b42caa48", "event_fingerprint": "7d4995e339bce9d45351ec2b6c401891d9d6f950", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7967be4fa492cfad4b86b41e3ae090e9", "payload_hash": "e3d78c5bea21e13223dad145fdb5ba2d", "path_pattern_hash": "bfd33612e3863357684bd23d10455a76" }, "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;", "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;", "evidence": { "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "db2155e32907d2ea79a335207fcd031bd4fbf51e", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;", "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8081, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8081" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 00:52:32 UTC	TCP	8081 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8081 · (tentative d'exploit) · → /api	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 56 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8081 Chemin / cible /api Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 508 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) A Requête brute (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 508 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-R Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "1c1f86ba252c0c8ebc250acab48718f12d6d1efd", "http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24", "http_target_hash": "ada91241341ae792ecf0a59cad28616a77bab856", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 914, "payload_entropy": 5.642282302744467, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8081, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.4, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 14, "anomaly_count": 0, "campaign_key": "3e1047700df921ca5fa7796d53fff1af0d36f873", "event_fingerprint": "095d99f9383f5428ad0c682c3b7d635d59b356c2", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "72d43eb808798db218d063798749cc39", "payload_hash": "8fd5ba97f11a2b910bdb94cbc5ea3bc0", "path_pattern_hash": "702acf7c08d3b03b321d97b4903ad221" }, "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-R", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "evidence": { "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-R", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9b308a74e981a4dbc17baac05ee6aa7a02725e17", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8081, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8081" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 00:52:32 UTC	TCP	8081 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8081 · (tentative d'exploit) · → /_next/server	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next/server UA Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, l… Émulateur HTTP WAF 58 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next/server TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8081 Chemin / cible /_next/server Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next/server HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.135 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; Andr Requête brute (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.135 Mobile Safari/537.36 Accept-Encoding: gzip, deflate Ne Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "8563f2ed0fd1b3832e8c528ca96b1f98a5b0004e", "http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24", "http_target_hash": "bef481449499f499a0b29ed75c9630076205b04f", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 952, "payload_entropy": 5.628612626558637, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8081, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.4, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 13, "anomaly_count": 0, "campaign_key": "bbbaa927603c8e1a206800afdcd2c5078814801e", "event_fingerprint": "b17e3bb78441026be83582a88b87db052e47c107", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "fcf5bfa409c42db4e4a5f32bcc91f966", "payload_hash": "4eb5344abc8f8abead235afd3f98eb1a", "path_pattern_hash": "4d9c4ca8a8065d3ce7073b6b23f61056" }, "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNe", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "evidence": { "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNe", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dde3ba13e44dfd8d813f6ab3c3ca56cd035c19f1", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8081, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8081" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 00:52:31 UTC	TCP	8081 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8081 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8081 Chemin / cible / Service HTTP Pourquoi cette classification : Sonde HTTP (tag sap-sapcontrol-path) · confiance 74% Confiance classification 82% Corrélation +8 Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 20 · 1 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8081 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 60, "payload_entropy": 4.577316637094897, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8081, "risk_waf": 20, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "b449e7b9d7b63a4b5e0f229bd49fb797df3a4d46", "event_fingerprint": "6200042a8eedd96c47b109adc0963a36d177f604", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5607155b0334748016e5c0e15d70bf62", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "service_name": "http", "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nConnection: close", "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%" }, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 8 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.82, "classification_confidence": 0.82, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c8c08f24cc67d56e7465f34a5eaafddbdcccad33", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:8081 \u00b7 (sonde \/ probe)", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "classification_reason_label_fr": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 82, "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8081, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8081 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nConnection: close", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 82 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8081" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_web_probe" ] }
18/06/2026 00:52:31 UTC	TCP	8081 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8081 · (tentative d'exploit)	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/… Émulateur HTTP WAF 55 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8081 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2 Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8081 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Accept-Encoding: gzip, defla Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "22d9380abcdf97c82db21728e444020cf16735ea", "http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 958, "payload_entropy": 5.694361291861005, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8081, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.4, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 13, "anomaly_count": 0, "campaign_key": "5558eaaa3b52e1f0ccc0c7b1b24b17d03b0f50d6", "event_fingerprint": "1213fcdd21b85075d772fad75b2dd0cb423568f7", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6c8160595869adea51d6742918f57fdf", "payload_hash": "14574234126249738db68fb1bef61772", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\r\nAccept-Encoding: gzip, defla", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\r\nAccept-Encoding: gzip, defla", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "945a4d4e4f465d0e9cc3c6c5cee66d4b2a958093", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2", "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit)", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8081, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8081" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
18/06/2026 00:52:30 UTC	TCP	8081 · HTTP ALT 8081	http-alt-8081	http-alt-8081 http-alt-8081 · via HTTP ALT 8081:8081 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTP-ALT-8081 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8081 Chemin / cible — Service HTTP ALT 8081 Pourquoi cette classification : Type « http-alt-8081 » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http-alt-8081", "app_proto": "http-alt-8081", "asn": 215925, "country": "US", "dst_port": 8081, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "d64dc0c930338d642f642e22846c64f959ad84a2", "event_fingerprint": "1023f61ccc055c445b71c912dbddfda91b08657e", "classification_reason": "Type \u00ab http-alt-8081 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "named_classification_skipped": false, "service_name": "http-alt-8081", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "721fec86c34b7fdcb2df85c882e6db0e" }, "target_context": { "dst_port": 8081, "service": "http-alt-8081", "service_name": "http-alt-8081", "risk_score": 0 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5a23a81b3543b077eb32d0270ad7852c08db0e8d", "protocol_details": { "port": 8081, "service": "http-alt-8081", "service_label_fr": "HTTP ALT 8081" }, "attack_vector": "http-alt-8081 \u00b7 via HTTP ALT 8081:8081 \u00b7 (sonde \/ probe)", "target_port_label": "8081 \u00b7 HTTP ALT 8081", "emulator_service": "http-alt-8081", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab http-alt-8081 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab http-alt-8081 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 0, "risk_label": "Faible", "service_name": "http-alt-8081", "service_label_fr": "HTTP ALT 8081", "dst_port": 8081, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8081", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 8081, "service": "http-alt-8081", "service_label_fr": "HTTP ALT 8081" }, "attack_vector": "http-alt-8081 \u00b7 via HTTP ALT 8081:8081 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8081 \u00b7 HTTP ALT 8081", "emulator_service": "http-alt-8081", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8081", "service_banner": "honeypot-http-alt-8081", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 19:27:39 UTC	TCP	8443 · HTTPS	https	Sonde HTTP smuggling http smuggling probe · via HTTPS:8443 · (tentative d'exploit)	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Payload POST /api/route HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Andr Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 52 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL User-Agent — Règles WAF — Payload (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Andr Requête brute (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Accept-Encoding: gz Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 973, "payload_entropy": 5.670524081395891, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "https", "app_proto": "https", "asn": 215925, "country": "US", "dst_port": 8443, "risk_waf": 8, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e6b2cf8ce9f9336bf0fcf7e6fb346b1f13664c68", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c37e15cd122c9f5cbd1f4ed7895d5217", "path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 52 }, "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\r\nAccept-Encoding: gz", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr", "evidence": { "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\r\nAccept-Encoding: gz", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f9efaafa7e21639d86f7e5bcb35713bbb62ecb4b", "protocol_details": { "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr", "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTPS", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 52, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "mozi_pattern", "net_web_probe" ] }
17/06/2026 19:27:38 UTC	TCP	8443 · HTTPS	https	Sonde HTTP smuggling http smuggling probe · via HTTPS:8443 · (tentative d'exploit)	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Payload POST /_next HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; W Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 52 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL User-Agent — Règles WAF — Payload (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; W Requête brute (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Accept-Encoding: gzip, deflate Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 960, "payload_entropy": 5.673852434363297, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "https", "app_proto": "https", "asn": 215925, "country": "US", "dst_port": 8443, "risk_waf": 8, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e6b2cf8ce9f9336bf0fcf7e6fb346b1f13664c68", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "cff8ef0b9a30d80e3be420f1e0184491", "path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 52 }, "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "evidence": { "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "78fb835dce8a7733a111719fb4c58724c67249ea", "protocol_details": { "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTPS", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 52, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "mozi_pattern", "net_web_probe" ] }
17/06/2026 19:27:38 UTC	TCP	8443 · HTTPS	https	Sonde HTTP smuggling http smuggling probe · via HTTPS:8443 · (tentative d'exploit)	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Payload POST /api HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) A Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 52 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL User-Agent — Règles WAF — Payload (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) A Requête brute (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-R Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 928, "payload_entropy": 5.6536094614911585, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "https", "app_proto": "https", "asn": 215925, "country": "US", "dst_port": 8443, "risk_waf": 8, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e6b2cf8ce9f9336bf0fcf7e6fb346b1f13664c68", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "00cb63d97c8089bfa17d142b9fda913d", "path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 52 }, "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-R", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "evidence": { "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-R", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cc8bed717a2f46702e81a85a304b792592ded567", "protocol_details": { "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTPS", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 52, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "mozi_pattern", "net_web_probe" ] }
17/06/2026 19:27:38 UTC	TCP	8443 · HTTPS	https	Sonde HTTP smuggling http smuggling probe · via HTTPS:8443 · (tentative d'exploit)	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Payload POST /_next/server HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 52 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL User-Agent — Règles WAF — Payload (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux Requête brute (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 937, "payload_entropy": 5.629850125977651, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "https", "app_proto": "https", "asn": 215925, "country": "US", "dst_port": 8443, "risk_waf": 8, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e6b2cf8ce9f9336bf0fcf7e6fb346b1f13664c68", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "85ae011dfe1ff420eccecf0fc1d117d2", "path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 52 }, "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux ", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux", "evidence": { "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "85381db4aad4ac9076d9c75301480315f31351bc", "protocol_details": { "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux", "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTPS", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 52, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "mozi_pattern", "net_web_probe" ] }
17/06/2026 19:27:38 UTC	TCP	8443 · HTTPS	https	Sonde HTTP smuggling http smuggling probe · via HTTPS:8443 · (tentative d'exploit)	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Payload POST /app HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) A Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 52 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL User-Agent — Règles WAF — Payload (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) A Requête brute (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-R Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 928, "payload_entropy": 5.657142050208568, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "https", "app_proto": "https", "asn": 215925, "country": "US", "dst_port": 8443, "risk_waf": 8, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e6b2cf8ce9f9336bf0fcf7e6fb346b1f13664c68", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ee2b9db850994d3803c9e5dda06ff950", "path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 52 }, "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-R", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "evidence": { "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-R", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f5ca57a50355fee3140d7df7d4711ac067770260", "protocol_details": { "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTPS", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 52, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "mozi_pattern", "net_web_probe" ] }
17/06/2026 19:27:37 UTC	TCP	8443 · HTTPS	https	Sonde HTTP smuggling http smuggling probe · via HTTPS:8443 · (tentative d'exploit)	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Payload POST / HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) Appl Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 52 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL User-Agent — Règles WAF — Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) Appl Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-Requ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 925, "payload_entropy": 5.6558986623651615, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "https", "app_proto": "https", "asn": 215925, "country": "US", "dst_port": 8443, "risk_waf": 8, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e6b2cf8ce9f9336bf0fcf7e6fb346b1f13664c68", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bb2d2763a03012d35673a3df2fafdc6a", "path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 52 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Requ", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl", "evidence": { "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Requ", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ebf70aa7b9d0d9887c067b3ab139d50c4aa1b4e7", "protocol_details": { "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl", "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTPS", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 85, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 52, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "http smuggling probe \u00b7 via HTTPS:8443 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) Appl", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "mozi_pattern", "net_web_probe" ] }
17/06/2026 19:27:36 UTC	TCP	8443 · HTTPS	https	Sonde HTTP Sonde HTTP · via HTTPS:8443 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 71% Confiance classification 71% Risque capteur Moyen · 40 Confiance : Confiance 71 % — Score WAF 8 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "https", "app_proto": "https", "asn": 215925, "country": "US", "dst_port": 8443, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0 }, "risk_score": 40, "tag_count": 2, "anomaly_count": 0, "campaign_key": "baa690d1c17ffc3e0bea7942e5e4e6fb74221eb7", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "service_name": "https", "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 40 }, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%", "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 40 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.71, "classification_confidence": 0.71, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3a290a31f54554d3db67fb9ec50e66b26c3cce82", "protocol_details": { "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "Sonde HTTP \u00b7 via HTTPS:8443 \u00b7 (sonde \/ probe)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 71 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 71, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "Sonde HTTP \u00b7 via HTTPS:8443 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 71 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 71 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe" ] }
17/06/2026 19:27:36 UTC	TCP	8443 · HTTPS	https	Sonde HTTP Sonde HTTP · via HTTPS:8443 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port http_get_probe net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Payload GET / HTTP/1.1 Host: 62.3.50.33:8443 Connection: close Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 74% Confiance classification 74% Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 8 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8443 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 60, "payload_entropy": 4.602479553833678, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "https", "app_proto": "https", "asn": 215925, "country": "US", "dst_port": 8443, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ee1718673413d9545e04a504276fd0deb0f77bc5", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9a7cf108f246e65363b5dcc8a3ec1bf9", "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "service_name": "https", "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nConnection: close\r\n\r\n", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nConnection: close", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%" }, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9bbddd6a7fcf6f3e1efd20616cd305933caf708d", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nConnection: close", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTPS:8443 \u00b7 (sonde \/ probe)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 74 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 74, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nConnection: close", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "Sonde HTTP \u00b7 via HTTPS:8443 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nConnection: close", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 74 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 74 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "net_web_probe" ] }

45.198.224.244

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence